CPanel Multiple HTML Injection Vulnerabilities

Bugtraq ID:	21387
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Dec 01 2006 12:00AM
Updated:	Dec 08 2006 05:29PM
Credit:	The Aria-Security Team is credited with the discovery of these vulnerabilities.
Vulnerable:	cPanel cPanel 11 Beta
Not Vulnerable:

CPanel Multiple HTML Injection Vulnerabilities

Attackers can exploit these issues via a web client.

The following proof-of-concept URIs are available:

http://www.example.com:2082/frontend/x3/mail/manage.html?account=HTML-Injection
http://www.example.com:2082/frontend/x3/mail/pops.html?domain=HTML-Injection
http://www.example.com:2082/frontend/x3/cpanelpro/dohtaccess.html?dir=HTML-Injection
http://www.example.com:2082/frontend/x3/err/erredit.html?dir=HTML-Injection

CPanel Multiple HTML Injection Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].

CPanel Multiple HTML Injection Vulnerabilities

References:

• cPanel Homepage (cPanel)
  
• [Aria-Security Team] cPanel 11 pops.html Cross-Site Scripting (Aria-Security Team)
  
• Web Hosting Control Panel - cPanel 11 Multiple Cross-Site Scripting Vulnerabilit (Aria-Security Team)