Easy Hosting Control Panel (EHCP) is an open source hosting control panel. It is written in PHP and works with Nginx and the PHP-FRM environment. The major features of EHCP include managing FTP, MySQL, DNS management, and emails, etc. As part of our ongoing threat research at FortiGuard Labs, I discovered that EHCP contains an SQL Injection and multiple cross-site Scripting (XSS) vulnerabilities.
The SQL Injection vulnerability (CVE-2018-13125) exists in the HTTP header line X-Forwarded-For. It allows a remote attacker, without any permission, to execute SQL commands on the system. Two XSS issues exist, one is in the X-Forwarded-For value, which is the same location as the SQL Injection issue. The other is a reflected XSS (CVE-2018-13124), which is caused by the op parameter of the run function. An attacker could insert arbitrary script codes into the op parameter and then execute them in the run function. This could enable a remote attacker to gain control of the victim’s browser and then hijack the victim’s EHCP account. Successful exploitation of any of the two kinds of vulnerabilities discovered could allow a remote attacker to take over the web server.
For the SQL Injection vulnerability (CVE-2018-13125), in classapp.php, when a user tries to login to EHCP, there is a login attempt check function which is designed to prevent a brute force attack, as shown in Figure 1.
It does this by logging the username and the IP address. Then, if the count of login attempts is greater than five it blocks the IP and executes an SQL command to generate a log entry, as shown in Figure 2.
Let’s check the value of $clientip. It comes from the value of $ipproxy, which is directly gained from the HTTP header line X-Forwarded-For, as shown in Figure 3. When an attacker makes a login attempt, this value is inserted into the database without any sterilization, which causes this SQL Injection issue.
The sqlmap test result is shown in Figure 4. Without any permission, a remote attacker could execute arbitrary SQL commands on the system.
This SQL Injection issue can also cause an XSS issue because EHCP doesn’t sterilize the SQL error output message. For example, when setting the X-Forwarded-For value to “22.214.171.124'/\"><img src=x onerror=prompt(1)>” (note: remove the start and ending double quotes), the script will be inserted into the web page and executed automatically, as shown in Figure 5.
The second XSS issue (CVE-2018-13124) happens when providing a malicious op value. EHCP will return the provided op value in the error message without HTML sterilization, as shown in Figure 6.
When this $op value contains scripts, the code will be reflected and executed in the victim’s browser as shown in Figure 7.
All users of EHCP should upgrade to the latest version immediately. Additionally, organizations using Fortinet IPS solutions are already protected from these vulnerabilities with the following signatures: