Three vulnerabilities in Seapanel’s Linux web hosting tools package

A business that has been more than 20 years in the web hosting industry… has been the basis of more than 70 million domains,
revealing a total of three faults, including a two-factor authentication bypass flaw… It seems it was not used for assaults.

11:32 GMT, Thursday, November 26, 2020

A fix for three vulnerabilities reported last week in cPanel & WebHost Manager has been published by CPanel (WHM). It is said that one of these flaws is very risky because it makes it easy to overcome the two-factor authentication method.

The ‘Seapanel & WHM’ in question is a kit that gathers web hosting resources for Linux and enables separate web hosting and management activities to be performed automatically by both hosting firms and users. There are actually more than 70 million domains launched as ‘Seapanel & WHM’ focused on Seapanel’s hand.

A security firm, Digital Protection, discovered the two-factor authentication bypass flaw, which is considered the most important concern, and has a feature that helps attackers to attack brute force. It is said that any attacker who has learned or understands login credentials will break through this loophole within minutes through the two-factor authentication method.

The CVSS ranking, however is 4.3, which is not a high score. “The key to this vulnerability is that you can try the second authentication multiple times while knowing your credentials in advance,” Seapanel said, “We set a limit on the number of substitutions of the second authentication factor,” explained the patch path. 11.92.0.3, 11.90.0.17, and 11.86.0.32 were analyzed as insecure models.

It was found that these models have more issues. URL parameter injection was further discovered to be feasible. This is due to the manner in which numerous interfaces build Unified Resource Identifiers (URIs). In the URI request parameter, we use user-supplied data when generating URIs, and URL encoding is triggered, not URI encoding. In other words, it may lead to consequences that vary from what the consumer was planning.

In reality, a ‘self-XSS vulnerability’ was also found. The WHM Transfer Tool interface was the precise location of the vulnerability. The essence of the dilemma is that HTML code will also be injected when the error message is not encoded properly. Versions 11.92.0.2 and 11.90.0.17 have detected this weakness.

“Seapanel announced the details and patches of these vulnerabilities together and said The security specialists inside Seapanel and developers working together to find and fix the issue separately from the outside worked together. There is no reason to assume that it was violent.