Thursday, July 4, 2013
Multiple vulnerabilities in ZPanel 10.0.2 - POC
The first one (and most important) is the LFI (Local File Inclusion) where i found it in the file getdownload.php and is located in /etc/zpanel/panel/modules/backupmgr/code/.
In this file the variable $filename does not filtered at all so a malicious user can access to important files in the server like /etc/passwd, configuration files in zpanel etc. POC: http://www.example-zapenelserver.com/modules/backupmgr/code/getdownload.php?file=/etc/passwd
(This flaw was reported 01/04/2103 with hotfix, and until today, the Zpanel Team has not released any security updates -- http://goo.gl/weU1N)
The second one is the file daemon.php where located in /etc/zpanel/panel/bin/. This flaw allows non-authorized! users to run the Zpanel daemon and get sensitive information related with the Zpanel like all usernames!, all websites! hosted by server etc, simply by accessing the link http://www.example-zapenelserver.com/bin/daemon.php