search

zpanel / zpanelx

ZPanel is a web hosting control panel written in PHP for Windows and *NIX host OS's.
http://www.zpanelcp.com
Other
414 stars 296 forks source link

Security: file inclusion issue #274

Open Shinkurt opened 7 years ago

Shinkurt commented 7 years ago

Hey,

zpanelx/modules/dns_admin/code/getbindlog.php says:

11: $bindlog = str_replace('..', '__', $_POST['inBindLog']); 
16: $handle = fopen($bindlog, "r"); 
20: fgets $buffer = fgets($handle, 4096);

And the only mitigation to stop file inclusion is in line 5 which does to stop referencing files with path transverse like ../../file.etc $bindlog = str_replace('..', '__', $_GET['inBindLog']); However, this is insufficient fix because one can send payloads like .%00./.%00./file.etc as PHP before 5.3.6 truncates nullbytes and treats them as empty values letting us sneak ../../file.etc.

Fix should include null bytes or a more thought implementation.

Thanks,

h3ct0rjs commented 5 years ago

you can try sentora.org, is a fork o zpanel. Actually I don't know if this is a persistent bug in the fork. Could you please take a look.

Thanks, H

VedranIteh commented 4 years ago

it is, and you can do even simpler attack, specify the full path instead ... eg /etc/passwd

koshermeat commented 4 years ago

Yes, I just looked and this seems consistent with the actual zpanel code, any authenticated user can use this bug to read any file or achieve RCE by either reading sensetive config files or system files.