[ad_1]
Vendor patched the vulnerability in October after a red team alert
A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).
The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.
CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.
DON’T MISS Tell us what you think of The Daily Swig to be in with a chance of winning Burp Suite swag
The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security.
Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version.
The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.
Double quotes problem
The flaw resides in the component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
According to Türle, it resulted from CWP using the following structure to log incorrect entries:
“Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as , which is a bash feature,” he said.
“They have made the request URI into , but double quotes are interpreted on the bash side. It is actually just a problem with double quotes. It was a small problem but could be very annoying.”
Timeline
Türle said the bug emerged from zero-day research undertaken on third-party applications used by customers of Gais Security.
“We discovered this vulnerability in July 2022 and closed the ports by first notifying our customers,” he said.
CWP was notified and remediation began on July 30. “Since it was a busy period, we sent the full…
..
[ad_2]
