BID:22474

CPanel PassWDMySQL Cross-Site Scripting Vulnerability

Info

CPanel PassWDMySQL Cross-Site Scripting Vulnerability

Bugtraq ID:	22474
Class:	Input Validation Error
CVE:	CVE-2007-0890
Remote:	Yes
Local:	No
Published:	Feb 08 2007 12:00AM
Updated:	May 12 2015 07:34PM
Credit:	s3rv3r_hack3r is credited with the discovery of this vulnerability.
Vulnerable:	cPanel cPanel 11.0 cPanel cPanel 10.9 cPanel cPanel 10.8.2 118 cPanel cPanel 10.8.1 113 cPanel cPanel 10.8.1 (build 84) cPanel cPanel 10.6 .0-R137 cPanel cPanel 10.2 .0-R82 cPanel cPanel 9.9.1 -R3 cPanel cPanel 9.4.1 -R64 cPanel cPanel 9.1 .0-R85 cPanel cPanel 9.1 cPanel cPanel 9.0 cPanel cPanel 8.0 cPanel cPanel 7.0 cPanel cPanel 6.4.2 .STABLE_48 cPanel cPanel 6.4.2 cPanel cPanel 6.4.1 cPanel cPanel 6.4 cPanel cPanel 6.2 cPanel cPanel 6.0 cPanel cPanel 5.3 cPanel cPanel 5.0 cPanel cPanel 11 beta cPanel cPanel 11

Not Vulnerable:

Discussion

Exploit / POC

CPanel PassWDMySQL Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspected vicitim to follow a malicious URI.

The following proof-of-concept URI is available:

http://www.example.com/scripts/passwdmysql?password=[xss]&user=root&submit=Change+Password

Solution / Fix

CPanel PassWDMySQL Cross-Site Scripting Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

References

CPanel PassWDMySQL Cross-Site Scripting Vulnerability

References:

cPanel Homepage (cPanel)
local bug :[xxs] in whm ([email protected])