Security News > 2022 > January > Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks
Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers.
Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on the web server.
Control Web Panel, previously CentOS Web Panel, is an open-source Linux control panel software used for deploying web hosting environments.
Php" - fail to adequately validate a path to a script file, according to Octagon Security's Paulos Yibelo, who discovered and reported the flaws.
This not only allows a bad actor to access restricted API endpoints, it can be used in conjunction with an arbitrary file write vulnerability to gain full remote code execution on the server as follows -.
Send a null byte powered file inclusion payload to add malicious API key.
News URL
https://thehackernews.com/2022/01/critical-bugs-in-control-web-panel.html
Related news
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- New Cleo zero-day RCE flaw exploited in data theft attacks (source)
- Apache issues patches for critical Struts 2 RCE bug (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
- New IOCONTROL malware used in critical infrastructure attacks (source)
- CISA confirms critical Cleo bug exploitation in ransomware attacks (source)
- Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks (source)
- FBI spots HiatusRAT malware attacks targeting web cameras, DVRs (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-26 | CVE-2021-45467 | Unspecified vulnerability in Control-Webpanel Webpanel In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. | 9.8 |