• Get in Touch
  • hi@isalmankhan.com
go back

Open Redirect in cPanel

01 October, 2015

Hi!


I'm going to write about an open redirect vulnerability that I found in CPanel back in July 2015. This one is pretty simple & easy.


CPanel has a file at "/unprotected/redirect.html" that does redirect function & redirects the user after when the user logs-in to the CPanel. It was basically to redirect the user to any internal URL of the CPanel. So suppose your CPanel URL is www.site.com:2082. Now to perform the open redirect all you need to do is add "/unprotected/redirect.html?goto_uri=//malicious-url.com" next to the "www.site.com:2082".


Now the URL would look like "www.site.com:2082/unprotected/redirect.html?goto_uri=//malicious-url.com" and that's it! Now there are two cases:

1. If the victim is not logged-in to the CPanel there: Victim will be taken to CPanel login page and after successful login, victim will be redirected to the entered URL (ex: malicious-url.com)

2. If the victim is logged-in to the CPanel there: Victim will be instantly redirected to the entered URL (ex: malicious-url.com)


So that's all. It's pretty easy one but one main thing, they basically have had the open redirect fixed i.e. if you enter "http://malicious-url.com" or "httpS://malicious-url.com" in the "goto_uri" parameter, then the Open Redirect will not work. That's why the URL was required to be written like "//malicious-url.com" (without http or https). And yeah, It affected WHM as well.

Disclosure @ news.cpanel.com/cpanel-tsr-2015-0005-full-disclosure/

Comments