CVE-2023-29489 - Critical XSS Vulnerability in cPanel (before 11.109.9999.116) Exposing cpsrvd Error Page to Attacks

A critical Cross-Site Scripting (XSS) vulnerability (CVE-2023-29489) has been discovered in cPanel, the popular web hosting management platform, affecting versions before 11.109.9999.116. This vulnerability allows attackers to execute malicious scripts in the victim's browser by exploiting the cpsrvd error page through an invalid webcall ID, which has been assigned the identifier SEC-669.

In this post, we'll discuss the details of this vulnerability, how to reproduce the issue, and provide information on how to resolve it. We will also include code snippets and links to the original references for better understanding.

Exploit Details

The vulnerability resides in the cpsrvd error page, which can be triggered by an invalid webcall ID. An attacker can craft a URL containing malicious JavaScript code that, when visited by an unsuspecting user, executes the payload in the user's browser, potentially leading to a variety of attack scenarios, such as stealing sensitive data or hijacking user sessions.

The following code snippet demonstrates a simple proof-of-concept utilizing this vulnerability

http://[TARGET_CPSRVD]/error.html?invalid_webcall_id=<script>alert(document.cookie)</script>;

In this example, the "TARGET_CPSRVD" would be replaced with the vulnerable cPanel server's domain or IP address. The "alert(document.cookie)" is the payload, which will be executed in the user's browser when visiting the crafted URL.

Original References

The vulnerability was first disclosed on the cPanel public forums (link to the reference: https://forums.cpanel.net/threads/sec-669-cve-2023-29489-critical-xss-vulnerability-in-cpsrvd-error-page.684441/) and tracked as CVE-2023-29489 in the NVD (National Vulnerability Database) as well as in cPanel's internal system as SEC-669.

Resolution

In order to protect your cPanel server and user accounts from this critical vulnerability, you must update your cPanel installation to one of the fixed versions:

11.102..31

These versions include security patches that specifically address this XSS vulnerability and mitigate the potential risk. If you are unable to update your cPanel installation to one of the fixed versions, it's strongly recommended to apply the following workaround:

Conclusion

The CVE-2023-29489 XSS vulnerability poses a significant risk to cPanel servers and their user accounts due to the potential for data theft and session hijacking. As a web hosting provider or cPanel server administrator, it is crucial to take immediate action in patching the vulnerability by updating to a fixed version or implementing the recommended workaround.

Remaining vigilant and staying up-to-date with the latest security patches is essential to keeping your servers and clients secure.

Timeline

Published on: 04/27/2023 21:15:00 UTC
Last modified on: 05/05/2023 18:12:00 UTC