Thursday, July 4, 2013

Multiple vulnerabilities in ZPanel 10.0.2 - POC

When i started to setup the Zpanel in my private Server for the first time, i was really curious how secure is, so i started looking the source code of Zpanel for vulnerabilities.After hours of digging the source, i managed to find 2 security flaws.  
The first one (and most important) is the LFI (Local File Inclusion) where i found it in the file getdownload.php and is located in /etc/zpanel/panel/modules/backupmgr/code/.


In this file the variable $filename does not filtered at all so a malicious user can access to important files in the server like /etc/passwd, configuration files in zpanel etc. POC: http://www.example-zapenelserver.com/modules/backupmgr/code/getdownload.php?file=/etc/passwd
(This flaw was reported 01/04/2103 with hotfix, and until today, the Zpanel Team has not released any security updates -- http://goo.gl/weU1N)

The second one is the file daemon.php where located in /etc/zpanel/panel/bin/. This flaw allows non-authorized! users to run the Zpanel daemon and get sensitive information related with the Zpanel like all usernames!, all websites! hosted by server etc, simply by accessing the link http://www.example-zapenelserver.com/bin/daemon.php