| 2016-03-30 19:36:58 |
Kyle Lovett |
description |
EHCP Easy Hosting Control Panel
Multiple Vulnerabilities -
Clear Text MySQL Root Password
Insufficiently Protected Sensitive Data
Authentication Bypass
Please let me know if you need further information. I will be disclosing this in 45 days, unless you need more time to fix.
Software Links:
https://launchpad.net/ehcp
http://www.ehcp.net
https://sourceforge.net/p/ehcp/wiki/
--------------------------------------------------------------------------------------------
Description:
ehcp is a hosting control panel, for multiple domains on single machine. easily installable,easy usage, non-complex,functional. homepage:http://www.ehcp.net * automatically installs and works: dns, apache, mysql, ftp, email, domains and auto update
--------------------------------------------------------------------------------------------
CWE-256: Plaintext Storage of a Password
CWE-522: Insufficiently Protected Credentials
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
Access : Remote (All Vulnerabilities)
Complexity : Low (All Vulnerabilities)
Currently, many resellers are using this software to manage multiple customer domains, which in many cases also exposes ssh and mysql ports to the outside world.
All known versions between 0.29 and 0.37.9 are affected. Earlier versions may be impacted as well.
ver 0.37.9
ver 0.30.6
ver.0.29.15
ver 0.29.13
--------------------------------------------------------------------------------------------
#1 Plaintext Storage of a Password
By browsing directly to http://<IP>/ehcp/ehcpbackup.php sensitive information regarding the web server, local OS and SQL DB are exposed without authentication. This includes MySQL root password in clear text. These credentials can be used to log directly into PHPMYADMIN. The ehcpbackup.php file also exposes the dir listing of the ehcp directory, local file paths, all databases and domains associated with that EHCP build as well as domain useranmes.
As with almost every file in the EHCP software suite, the permissions are set to -rw-r--r--
http://<IP>/ehcp/ehcpbackup.php
Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
--------------------------------------------------------------------------------------------
#2 Unauthenticated File upload
Unauthenticated file upload By browsing to any of the following four URLs, a remote attacker can upload any file which then is stored in a directory called /phptmpdir/ . It does not appear to validate either the user uploading nor the file type.
http://<IP>/ehcp/test/up2.php
http://<IP>/ehcp/test/upload2.php
http://<IP>/ehcp/test/upload.php
http://<IP>/ehcp/test/up.php
Access : Remote
Complexity : Low
Impact :
CWE-592: Authentication Bypass Issues
CWE-434: Unrestricted Upload of File
--------------------------------------------------------------------------------------------
#3 Information Disclosure
The following URL pathways can be remotely browsed to without authentication. They all give various amounts of information disclosure which exposes almost all of the underworking directory and functions of the Hosting software, SQL tables and database queries.
http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/phpsysinfo
http://<IP>/ehcp/apache_default.conf
http://<IP>/ehcp/apachehcp_auth.conf
http://<IP>/ehcp/apachehcp.conf
http://<IP>/ehcp/apachehcp_passivedomains.conf
http://<IP>/ehcp/apachehcp_subdomains.conf
http://<IP>/ehcp/apache_subdomain_template
http://<IP>/ehcp/apache_subdomain_template_ipbased
http://<IP>/ehcp/apachetemplate
http://<IP>/ehcp/apachetemplate_ipbased
http://<IP>/ehcp/apachetemplate_passivedomains
http://<IP>/ehcp/ehcp-apt-get-install.log
http://<IP>/ehcp/ehcpbackup.php
http://<IP>/ehcp/ehcpdaemon2.sh
http://<IP>/ehcp/install_log.txt
http://<IP>/ehcp/install.sh
http://<IP>/ehcp/LocalServer.cnf
http://<IP>/ehcp/ehcp_daemon.py
http://<IP>/ehcp/ehcpdaemon.sh
http://<IP>/ehcp/ehcp_fix_apache.php
http://<IP>/ehcp/ehcpinfo.html
http://<IP>/ehcp/ehcp_postfix2.sh
http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/ehcp/ehcp.sql
http://<IP>/ehcp/ehcp_upgrade.sh
http://<IP>/ehcp/ehcpupgrade.sql
http://<IP>/ehcp/checkapacheconfig.sh
http://<IP>/ehcp/checkapache.sh
http://<IP>/ehcp/etc/apache2/apache_subdomain_template
http://<IP>/ehcp/etc/apache2/apache_subdomain_template_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate
http://<IP>/ehcp/etc/apache2/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2/default
http://<IP>/ehcp/etc/apache2/ports.conf
http://<IP>/ehcp/etc/apache2_ssl/apache_subdomain_template
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2_ssl/default
http://<IP>/ehcp/etc/apache2_ssl/default-ssl
http://<IP>/ehcp/etc/apache2_ssl/ports.conf
http://<IP>/ehcp/etc/logrotate.d/ehcp
http://<IP>/ehcp/named_ehcp.conf
http://<IP>/ehcp/phpadmin.php
http://<IP>/ehcp/phpmyadmin.conf
http://<IP>/ehcp/pop-before-smtp.conf
http://<IP>/ehcp/resetmysqlrootpass.sh
http://<IP>/ehcp/scriptsupdate.sql
http://<IP>/ehcp/scriptsupdate.sql.html
http://<IP>/ehcp/setup.sh
http://<IP>/ehcp/smtpd.cert
http://<IP>/ehcp/smtpd.key
http://<IP>/ehcp/ssh2.sh
http://<IP>/ehcp/stats.php
http://<IP>/ehcp/misc/importexport.php
http://<IP>/ehcp/misc/mysqltroubleshooter.php
http://<IP>/ehcp/misc/redirect_index.html
http://<IP>/ehcp/misc/serverstatus.sh
Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues |
EHCP Easy Hosting Control Panel
Multiple Vulnerabilities -
Clear Text MySQL Root Password
Insufficiently Protected Sensitive Data
Authentication Bypass
Please let me know if you need further information. I will be disclosing this in 45 days, unless you need more time to fix. (Edit: Developer has no timeline for fix. Publicly disclosed March 30. http://www.securityfocus.com/archive/1/537922 )
Software Links:
https://launchpad.net/ehcp
http://www.ehcp.net
https://sourceforge.net/p/ehcp/wiki/
--------------------------------------------------------------------------------------------
Description:
ehcp is a hosting control panel, for multiple domains on single machine. easily installable,easy usage, non-complex,functional. homepage:http://www.ehcp.net * automatically installs and works: dns, apache, mysql, ftp, email, domains and auto update
--------------------------------------------------------------------------------------------
CWE-256: Plaintext Storage of a Password
CWE-522: Insufficiently Protected Credentials
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
Access : Remote (All Vulnerabilities)
Complexity : Low (All Vulnerabilities)
Currently, many resellers are using this software to manage multiple customer domains, which in many cases also exposes ssh and mysql ports to the outside world.
All known versions between 0.29 and 0.37.9 are affected. Earlier versions may be impacted as well.
ver 0.37.9
ver 0.30.6
ver.0.29.15
ver 0.29.13
--------------------------------------------------------------------------------------------
#1 Plaintext Storage of a Password
By browsing directly to http://<IP>/ehcp/ehcpbackup.php sensitive information regarding the web server, local OS and SQL DB are exposed without authentication. This includes MySQL root password in clear text. These credentials can be used to log directly into PHPMYADMIN. The ehcpbackup.php file also exposes the dir listing of the ehcp directory, local file paths, all databases and domains associated with that EHCP build as well as domain useranmes.
As with almost every file in the EHCP software suite, the permissions are set to -rw-r--r--
http://<IP>/ehcp/ehcpbackup.php
Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
--------------------------------------------------------------------------------------------
#2 Unauthenticated File upload
Unauthenticated file upload By browsing to any of the following four URLs, a remote attacker can upload any file which then is stored in a directory called /phptmpdir/ . It does not appear to validate either the user uploading nor the file type.
http://<IP>/ehcp/test/up2.php
http://<IP>/ehcp/test/upload2.php
http://<IP>/ehcp/test/upload.php
http://<IP>/ehcp/test/up.php
Access : Remote
Complexity : Low
Impact :
CWE-592: Authentication Bypass Issues
CWE-434: Unrestricted Upload of File
--------------------------------------------------------------------------------------------
#3 Information Disclosure
The following URL pathways can be remotely browsed to without authentication. They all give various amounts of information disclosure which exposes almost all of the underworking directory and functions of the Hosting software, SQL tables and database queries.
http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/phpsysinfo
http://<IP>/ehcp/apache_default.conf
http://<IP>/ehcp/apachehcp_auth.conf
http://<IP>/ehcp/apachehcp.conf
http://<IP>/ehcp/apachehcp_passivedomains.conf
http://<IP>/ehcp/apachehcp_subdomains.conf
http://<IP>/ehcp/apache_subdomain_template
http://<IP>/ehcp/apache_subdomain_template_ipbased
http://<IP>/ehcp/apachetemplate
http://<IP>/ehcp/apachetemplate_ipbased
http://<IP>/ehcp/apachetemplate_passivedomains
http://<IP>/ehcp/ehcp-apt-get-install.log
http://<IP>/ehcp/ehcpbackup.php
http://<IP>/ehcp/ehcpdaemon2.sh
http://<IP>/ehcp/install_log.txt
http://<IP>/ehcp/install.sh
http://<IP>/ehcp/LocalServer.cnf
http://<IP>/ehcp/ehcp_daemon.py
http://<IP>/ehcp/ehcpdaemon.sh
http://<IP>/ehcp/ehcp_fix_apache.php
http://<IP>/ehcp/ehcpinfo.html
http://<IP>/ehcp/ehcp_postfix2.sh
http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/ehcp/ehcp.sql
http://<IP>/ehcp/ehcp_upgrade.sh
http://<IP>/ehcp/ehcpupgrade.sql
http://<IP>/ehcp/checkapacheconfig.sh
http://<IP>/ehcp/checkapache.sh
http://<IP>/ehcp/etc/apache2/apache_subdomain_template
http://<IP>/ehcp/etc/apache2/apache_subdomain_template_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate
http://<IP>/ehcp/etc/apache2/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2/default
http://<IP>/ehcp/etc/apache2/ports.conf
http://<IP>/ehcp/etc/apache2_ssl/apache_subdomain_template
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2_ssl/default
http://<IP>/ehcp/etc/apache2_ssl/default-ssl
http://<IP>/ehcp/etc/apache2_ssl/ports.conf
http://<IP>/ehcp/etc/logrotate.d/ehcp
http://<IP>/ehcp/named_ehcp.conf
http://<IP>/ehcp/phpadmin.php
http://<IP>/ehcp/phpmyadmin.conf
http://<IP>/ehcp/pop-before-smtp.conf
http://<IP>/ehcp/resetmysqlrootpass.sh
http://<IP>/ehcp/scriptsupdate.sql
http://<IP>/ehcp/scriptsupdate.sql.html
http://<IP>/ehcp/setup.sh
http://<IP>/ehcp/smtpd.cert
http://<IP>/ehcp/smtpd.key
http://<IP>/ehcp/ssh2.sh
http://<IP>/ehcp/stats.php
http://<IP>/ehcp/misc/importexport.php
http://<IP>/ehcp/misc/mysqltroubleshooter.php
http://<IP>/ehcp/misc/redirect_index.html
http://<IP>/ehcp/misc/serverstatus.sh
Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues |
|
