Top web hosting platform could be easily exploited using these threats

News
By published

Documentation has been updated to explain Super Privileges

Scammers
(Image credit: Pixabay)

Cybersecurity researchers have successfully conducted remote code execution (RCE) and privilege escalation attacks on popular web hosting control platform cPanel & WHM by exploiting a stored cross-site scripting (XSS) vulnerability.

While cPanel is limited to managing a single hosting account, cPanel & WHM allows admins to manage the entire server

“Our team has found multiple vulnerabilities in cPanel/WHM during a black-box pentest, the most important one being a privilege escalation via stored XSS,” shared Adrian Tiron, co-founder of cloud security firm Fortbridge. 

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

According to Tiron, the researchers were able to exploit the XSS vulnerability to escalate privileges to root.

Ripe for exploit

Whilst disclosing these bugs to the cPanel & WHM team, the Fortbridge team realized that the pentested cPanel account was a reseller account with the permission to edit locales, leading them to conclude that the XSS vulnerability discovered during their pestest “is considered a feature, and it was not fixed.”

The second bug is an HTML injection vulnerability. Although Tiron says this vulnerability is enough to bypass the CSRF/referrer leak protection, the process to exploit it is a lot more “convoluted.”

Fortbridge notified cPanel of the vulnerabilities earlier this year, and the popular control panel updated the relevant portions of its documentation earlier this month. 

However, cPanel hasn’t yet fixed the flaws, arguing that threat actors must be authenticated to exploit the vulnerability. 

In a conversation with The Daily Swig, Cory McIntire, product owner on the cPanel security team, said “the Locale interface can only be used by root and Super Privilege resellers to whom the root must grant this specific ACL to.”

He added that “this is labelled a Super Privilege with a warning icon in the server admins WHM interface, and also flagged as such in the cPanel documentation.”

In terms of protection, McIntire said that Super Privileges should only be given to people you would trust with root on your server.”

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
WordPress
Another top WordPress plugin found carrying critical security flaws
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
Latest in Website Hosting
cybersecurity
What's the right type of web hosting for me?
A cloud symbol imposed over a bank of servers in a data center.
What is cloud hosting and who needs it?
Minecraft game server hosting for streamers heading - The Minecraft logo above a Minecraft landscape.
I tried 15 hosts for streaming and hosting Minecraft games and these are the best
Dark web scanning on a laptop
Hostinger integrates dark web scanning into hPanel
WordPress
WordPress Foundation bid for greater trademark control halted, adding to more legal setbacks for CEO Matt Mullenweg
The PebbleHost website.
PebbleHost review
Latest in News
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
More about website hosting
cybersecurity

What's the right type of web hosting for me?
Minecraft game server hosting for streamers heading - The Minecraft logo above a Minecraft landscape.

I tried 15 hosts for streaming and hosting Minecraft games and these are the best
Samsung Galaxy Z Fold 6 in Paris in front of the Louvre pyramid

I switched to a Samsung Galaxy Z Fold 6 five months ago and I haven’t looked back – here are five things you need to know before buying a foldable phone
See more latest
Most Popular
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones
Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 25 (game #387)