🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

I recently rented a tiny VPS with cpanel in order to have a better understanding of all of the cpanel files, scripts, and so on. During browsing cpanel files, I discovered that some scripts are only visible to webmail users, while others are only visible to cPanel or WHM users. I noticed that all links in Webmail go to scripts in the following directories inside /usr/local/cpanel/base/:

image 10 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

So, the next thing that I was checking is which of these directories are also cPanel users accessing, so I logged in as a cPanel user in another browser, crtl+u on the page, and searched for links to these paths.

image 14 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

The 3rdparty folder had interesting links such as: PHPMyAdmin and phpPgAdmin:

image 11 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

So I tried accessing them from Webmail, but they were all checking user permissions and wouldn’t let me access them from webmail.

image 15 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

But, the sitepad link /3rdparty/sitepad/index.live.php was accessible because it’s a simple symlink to the /usr/local/sitepad/www/ directory

image 12 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

And this file includes the index.php file without checking any permissions:

image 13 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

As a result in cPanel logged-in Webmail users can edit the URL parameters to access Sitepad plugin.


Steps to Reproduce

Steps to reproduce the issue in SitePad ≤ 1.7.0:

  1. Log into a Webmail (domain.com/webmail)
  2. Edit URL and add /3rdparty/sitepad/index.live.php after the cpsess_XXX part

that’s it.

image 39 1024x456 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

Webmail users can now edit pages or even delete entire websites.

See also  Prevent SQL injections 💉 in PHP using prepared statements and parameterized queries

Impact

According to builtwith, there are about 50.000 known Sitepad websites, with around 30.000 of them being vulnerable due to the use of Sitepad Page Builder as a cPanel plugin. This means that any of these sites could be accessed through hacked email accounts or former employees.

Because a single cPanel account can host many domains/websites, the majority of these sites can be used to obtain access to other websites on the account, including WordPress sites.

This extends the total number of websites and cpanel accounts that can be potentially exploited with this bug to thousands more.


Vulnerability is Fixed in SitePad 1.7.1

I reported the vulnerability to Sitepad and the next day they notified me that they’ve started working on fixing it.

image 9 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

In SitePad 1.7.1 the issue was fixed:

chrome NojXcO23xk 1024x499 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

By adding the following check inside the index.php file

image 118 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

And now if you try to access SitePad from a Webmail account you will get an error message: Child failed to make LIVEAPI connection to cPanel.

image 117 - 🚨 Critical Vulnerability in Sitepad cPanel plugin ≤ 1.7.0

Report Timeline

  • 30.03.2022 – Vulnerability discovered
  • 31.03.2022 – Report submitted to Softaculous – ticket ID #156870
  • 01.04.2022 – Softaculous replicated the issue
  • 13.04.2022 – The issue is resolved in version 1.7.1
  • 01.05.2022 – Vulnerability disclosed on this blog

whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.