Control Web Panel - Remote Code Execution Vulnerability

Control Web Panel - Remote Code Execution

Description:

A remote code execution (RCE) pre-authentication vulnerability has been discovered for the widely used web hosting platform, Control Web Panel (CWP). CWP, formerly known as CentOS Web Panel, is a free-to-use, Linux web hosting control panel, designed for quick and easy management of servers.

This vulnerability was first coined on 30th July,2022 due to which attackers can remotely hack servers. It was caused by an issue in  the /login/index.php  components of CentOS. An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests. In order to exploit the vulnerability, all an attacker has to do is to send a malicious HTTP request to an affected server. 

Proof of Concept was released recently on 5th January by Turkish security engineer, Numan Turle. As per POC the recommended solution is to upgrade CWE to the latest version.

Affected Version:  

  • <= 0.9.8.1147

CVE_IDs: 

  • CVE-2022-44877

Source:

Impact:

  • It allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

  • Attackers can gain full control over a compromised machine.

Recommendation:

Upgrade to the unaffected Control Web Panel version (v0.9.8.1147 or newer) as soon as possible.
Rajani Shrestha 10 January, 2023
Share this post
Tags
Our blogs
Archive
Sign in to leave a comment

WordPress Core - Unauthenticated Blind SSRF via DNS Rebinding