Security News > 2022 > January > Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks
Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers.
Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on the web server.
Control Web Panel, previously CentOS Web Panel, is an open-source Linux control panel software used for deploying web hosting environments.
Php" - fail to adequately validate a path to a script file, according to Octagon Security's Paulos Yibelo, who discovered and reported the flaws.
This not only allows a bad actor to access restricted API endpoints, it can be used in conjunction with an arbitrary file write vulnerability to gain full remote code execution on the server as follows -.
Send a null byte powered file inclusion payload to add malicious API key.
News URL
https://thehackernews.com/2022/01/critical-bugs-in-control-web-panel.html
Related news
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Over 660,000 Rsync servers exposed to code execution attacks (source)
- SAP fixes critical vulnerabilities in NetWeaver application servers (source)
- Critical SimpleHelp vulnerabilities fixed, update your server instances! (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-26 | CVE-2021-45467 | Unspecified vulnerability in Control-Webpanel Webpanel In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. | 9.8 |