FortiGuard Labs Threat Research
Easy Hosting Control Panel: SQL Injection & Multiple XSS Vulnerabilities
(EHCP) is an open source hosting control panel. It is written in PHP and works with Nginx and the PHP-FRM environment. The major features of EHCP include managing FTP, MySQL, DNS management, and emails, etc. As part of our ongoing threat research at FortiGuard Labs, I discovered that EHCP contains an SQL Injection and multiple cross-site Scripting (XSS) vulnerabilities.
The SQL Injection vulnerability (CVE-2018-13125)Ìýexists in the HTTP header line X-Forwarded-For. It allows a remote attacker, without any permission, to execute SQL commands on the system. Two XSS issues exist, one is in the X-Forwarded-For value, which is the same location as the SQL Injection issue. The other is a reflected XSS (CVE-2018-13124),Ìýwhich is caused by the op parameter of the run function. An attacker could insert arbitrary script codes into the op parameter and then execute them in the run function. This could enable a remote attacker to gain control of the victim’s browser and then hijack the victim’s EHCP account. Successful exploitation of any of the two kinds of vulnerabilities discovered could allow a remote attacker to take over the web server.
Analysis
For the SQL Injection vulnerability (CVE-2018-13125), in classapp.php, when a user tries to login to EHCP, there is a login attempt check function which is designed to prevent a brute force attack, as shown in Figure 1.
Figure 1. Login function prevents brute force attack
It does this by logging the username and the IP address. Then, if the count of login attempts is greater than five it blocks the IP and executes an SQL command to generate a log entry, as shown in Figure 2.
Figure 2. Log of failed login function
Let’s check the value of $clientip. It comes from the value of $ipproxy, which is directly gained from the HTTP header line X-Forwarded-For, as shown in Figure 3. When an attacker makes a login attempt, this value is inserted into the database without any sterilization, which causes this SQL Injection issue.
Figure 3. The $clientip value
The sqlmap test result is shown in Figure 4. Without any permission, a remote attacker could execute arbitrary SQL commands on the system.
Figure 4. CVE-2018-13125 SQLmap test result
This SQL Injection issue can also cause an XSS issue because EHCP doesn’t sterilize the SQL error output message. For example, when setting the X-Forwarded-For value to “8.8.8.8'/\"><img src=x onerror=prompt(1)>†(note: remove the start and ending double quotes), the script will be inserted into the web page and executed automatically, as shown in Figure 5.
Figure 5. XSS in X-Forwarded-For
The second XSS issue (CVE-2018-13124) happens when providing a malicious op value. EHCP will return the provided op value in the error message without HTML sterilization, as shown in Figure 6.
Figure 6. The error message contains the $op value
When this $op value contains scripts, the code will be reflected and executed in the victim’s browser as shown in Figure 7.
Figure 7. CVE-2018-13124 Malicious code in $op value is executed in victim’s browser
Solution
All users of EHCP should to the latest version immediately. Additionally, organizations using 188BET×ãÇò IPS solutions are already protected from these vulnerabilities with the following signatures:
Easy.Hosting.Control.Panel.SQL.Injection
Easy.Hosting.Control.Panel.XSS
Ìý
Check out our latestÌýÌýfor more details about recent threats.
Sign upÌýfor our weekly FortiGuard Threat Brief orÌýfor ourÌýFortiGuard Threat Intelligence Service.
