CVE-2021-45467 Scanner

Control Web Panel, also known as CWP and previously known as CentOS Web Panel, is a popular web hosting control panel. Used by web hosting companies, individual server administrators, and businesses, it provides a graphical interface to manage various server functions. CWP facilitates tasks like file management, database management, and web server configuration through its user-friendly interface. It is typically deployed on Linux servers and is widely adopted due to its rich feature set and ease of use. The software is used worldwide for managing shared hosting, virtual private servers (VPS), and dedicated servers. CWP is recognized for its ability to simplify server management while offering robust performance.

The Local File Inclusion (LFI) vulnerability detected in Control Web Panel (CWP) version before 0.9.8.1107 can be exploited by remote, unauthenticated attackers. This vulnerability arises due to improper input validation, allowing attackers to utilize null byte injection with the "scripts" parameter. Through crafted HTTP requests, attackers can include or read sensitive files from the server's filesystem, potentially leading to unauthorized data exposure. The vulnerability allows attackers to leverage specific endpoints like /user/loader.php and /user/login.php for their malicious activities. Such security gaps can be exploited for unauthorized access, privilege escalation, and extensive information gathering. Consequently, successful exploitation of this vulnerability profoundly impacts the confidentiality, integrity, and availability of affected systems.

The technical details involve leveraging null byte (%00) injection in HTTP requests targeting the "scripts" parameter of specific CWP endpoints. Attackers craft requests with sequences of %00 to traverse directory structures, such as using paths like .%00./.%00./api/account_new_create. This abuse allows inclusion of sensitive files like /etc/passwd, exposing critical system information. Key vulnerable endpoints include /user/loader.php and /user/login.php, where the application's input validation fails to prevent crafted exploitation requests. Unchecked inclusion of arbitrary files enables attackers to manipulate server operations, potentially leading to server-wide compromise. The ability to register unauthorized API keys heightens this threat, granting attackers further control over the application.

Exploitation of this vulnerability can lead to severe consequences including server compromise and data breaches. Attackers can gain unauthorized access to sensitive files, potentially escalating privileges to achieve full control over the server. Compromised systems may allow further exploitation, such as remote code execution, enabling attackers to deploy malware or launch additional attacks against other network infrastructures. The exposure of confidential data, including system credentials and proprietary information, poses significant risks to affected organizations. Such breaches can result in financial losses, reputational damage, and increased liability.

REFERENCES

• https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-preauth-rce/
• https://nvd.nist.gov/vuln/detail/CVE-2021-45467