The hole in whm

Thursday, 26 September, Year 5 d.Tr. | Author: Mircea Popescu

Since pictures are worth a thousand words :

whm-lol

Before you ask : no, this is in no way related to the recent breach, nor is it in any significant way related to the recovery work. Obviously when people get burned people get paranoid, and when people get paranoid people start reading things, such as the source of various scripts. Whereby they find things.

For instance wwwacctform, which lives behind https exclusively (because https helps) and uses complex session tokenization as displayed in cpsess3677009734 (because session tokenization also helps) proceeds to cavalierly declare the form as

<form action="/cpsess3677009734/scripts5/wwwacct" name="mainform" onsubmit="checkacctform();">

As we all know (don't we ?), the default browser behaviour is GETi, so forms that don't specify otherwise get to send passwords as url encoded strings.

Now picture this : cpanel/whm is still the most prevalent web hosting package. I propose that simply going about sniffing wireless traffic in a more densely populated urban area for an hour or two should result in at least one password/username combo through this method. Funny how security works, isn't it.

———
  1. Teh DTD is unambiguous,

    method (GET|POST) GET -- HTTP method used to submit the form--

    []

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

2 Responses

  1. Mircea Popescu`s avatar
    1
    Mircea Popescu 
    Thursday, 26 September 2013

    PS. A reader points out to me that while the foregoing is correct, scripts/passwdlist (ie, "Password Modification") does correctly specify a post method to be used in its password update form (but not, I would like to add, in the select users form on the same page). Nevertheless, until someone actually writes good software it's a good idea to make sure you always reset your cpanel passwords at least once, and ideally immediately after creating an account.

  2. I'd venture sloth is second only to social engineering as a source of easy security exploits. Seems like a lower risk activity than rubber hose cryptanalysis by any stretch.

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.