Info

Disclosure

Mar 13, 2004

Discovery

Mar 12, 2004

Dates

Exploit

Mar 13, 2004

Solution

Unknown

Description

cPanel contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "account" variable upon submission to the "ignorelist.html" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

cPanel, Inc.

cPanel

9.1.0-RELEASE 57

References

Bugtraq ID: 10002 21142
Secunia Advisory ID: 11244 22984
ISS X-Force ID: 15671
CVE ID: 2004-1875 (see also: NVD)
Related OSVDB ID: 4208 4209 4210 4212 4213 4214 4215 4243
VUPEN Advisory: ADV-2006-4658
Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=108066561608676&w=2
Other Advisory URL: http://www.aria-security.com/forum/showthread.php?t=30
http://www.cirt.net/advisories/cpanel_xss.shtml
Vendor URL: http://www.cpanel.net/

Credit

Sullo - sullocirt.net - cirt.net

Direct URL: http://osvdb.org/4211