Threat Research

Easy Hosting Control Panel: SQL Injection & Multiple XSS Vulnerabilities

By Zhouyuan Yuang | July 08, 2018

Easy Hosting Control Panel (EHCP) is an open source hosting control panel. It is written in PHP and works with Nginx and the PHP-FRM environment. The major features of EHCP include managing FTP, MySQL, DNS management, and emails, etc. As part of our ongoing threat research at FortiGuard Labs, I discovered that EHCP contains an SQL Injection and multiple cross-site Scripting (XSS) vulnerabilities.

The SQL Injection vulnerability (CVE-2018-13125) exists in the HTTP header line X-Forwarded-For. It allows a remote attacker, without any permission, to execute SQL commands on the system. Two XSS issues exist, one is in the X-Forwarded-For value, which is the same location as the SQL Injection issue. The other is a reflected XSS (CVE-2018-13124), which is caused by the op parameter of the run function. An attacker could insert arbitrary script codes into the op parameter and then execute them in the run function. This could enable a remote attacker to gain control of the victim’s browser and then hijack the victim’s EHCP account. Successful exploitation of any of the two kinds of vulnerabilities discovered could allow a remote attacker to take over the web server.

The vulnerabilities affect EHCP before version 0.38.5.b.

Analysis

For the SQL Injection vulnerability (CVE-2018-13125), in classapp.php, when a user tries to login to EHCP, there is a login attempt check function which is designed to prevent a brute force attack, as shown in Figure 1.

Figure 1. Login function prevents brute force attack

It does this by logging the username and the IP address. Then, if the count of login attempts is greater than five it blocks the IP and executes an SQL command to generate a log entry, as shown in Figure 2.

Figure 2. Log of failed login function

Let’s check the value of $clientip. It comes from the value of $ipproxy, which is directly gained from the HTTP header line X-Forwarded-For, as shown in Figure 3. When an attacker makes a login attempt, this value is inserted into the database without any sterilization, which causes this SQL Injection issue.

Figure 3. The $clientip value

The sqlmap test result is shown in Figure 4. Without any permission, a remote attacker could execute arbitrary SQL commands on the system.

Figure 4. CVE-2018-13125 SQLmap test result

This SQL Injection issue can also cause an XSS issue because EHCP doesn’t sterilize the SQL error output message. For example, when setting the X-Forwarded-For value to “8.8.8.8'/\"><img src=x onerror=prompt(1)>” (note: remove the start and ending double quotes), the script will be inserted into the web page and executed automatically, as shown in Figure 5.

Figure 5. XSS in X-Forwarded-For

The second XSS issue (CVE-2018-13124) happens when providing a malicious op value. EHCP will return the provided op value in the error message without HTML sterilization, as shown in Figure 6.

Figure 6. The error message contains the $op value

When this $op value contains scripts, the code will be reflected and executed in the victim’s browser as shown in Figure 7.

Figure 7. CVE-2018-13124 Malicious code in $op value is executed in victim’s browser

Solution

All users of EHCP should upgrade to the latest version immediately. Additionally, organizations using Fortinet IPS solutions are already protected from these vulnerabilities with the following signatures:

Easy.Hosting.Control.Panel.SQL.Injection

Easy.Hosting.Control.Panel.XSS

 


Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.