Critical vulnerability in cPanel; thousands of websites affected

Cybersecurity specialists report remote code execution (RCE) vulnerability detection and privilege escalation on cPanel &WHM, the popular web hosting platform. According to the report, these flaws can be exploited through a known cross-site scripting (XSS) vulnerability, which would put some 170 thousand websites at risk.

In the tests, the experts demonstrated the exploitation of the RCE vulnerability by chaining a WebSocket hijacking attack because this tool does not verify the source header of their requests. This attack was demonstrated in Firefox by specialists from the security firm Fortbridge.

So far the hosting company has not fixed the flaws, arguing that threat actors must be authenticated to exploit the vulnerability: “The Locale interface can only be used by root and Super Privilege resellers to whom the root must grant this specific ACL,” says a company report.

According to cPanel, the Locale interface can only be used by resellers with root and Super Privilege access, tagged with a warning icon in the server manager’s WHM interface and marked in the cPanel documentation: “When you expand this icon, the server administrator is explained that you will be allowed to insert HTML into this interface, as many of our customers hope to be able to do,” the security alert adds.

Still, Fortbridge experts believe that cPanel may have at least fixed the XSS flaw by maintaining the desired functionalities: “Users don’t really usually read the documentation for those implementations, plus not everyone mastered basic cybersecurity concepts, so in certain cases they could make incorrect decisions. Ideally, technological implementations should be secure by default.”

In this regard, cPanel security officer Cory McIntire mentions that, for their protection, server administrators would simply have to remove any locale superprivilege granted to untrusted resellers: “We appreciate Fortbridge’s cooperation in the responsible disclosure of these errors and hope that the information published by our security teams will be functional for administrators”,  concludes McIntire.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.