Security Vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Easy Hosting Control Panel for Ubuntu |
Fix Released
|
High
|
ehcpdeveloper |
Bug Description
EHCP Easy Hosting Control Panel
Multiple Vulnerabilities -
Clear Text MySQL Root Password
Insufficiently Protected Sensitive Data
Authentication Bypass
Please let me know if you need further information. I will be disclosing this in 45 days, unless you need more time to fix. (Edit: Developer has no timeline for fix. Publicly disclosed March 30. http://
Software Links:
https:/
http://
https:/
-------
Description:
ehcp is a hosting control panel, for multiple domains on single machine. easily installable,easy usage, non-complex,
-------
CWE-256: Plaintext Storage of a Password
CWE-522: Insufficiently Protected Credentials
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
Access : Remote (All Vulnerabilities)
Complexity : Low (All Vulnerabilities)
Currently, many resellers are using this software to manage multiple customer domains, which in many cases also exposes ssh and mysql ports to the outside world.
All known versions between 0.29 and 0.37.9 are affected. Earlier versions may be impacted as well.
ver 0.37.9
ver 0.30.6
ver.0.29.15
ver 0.29.13
-------
#1 Plaintext Storage of a Password
By browsing directly to http://<IP>/ehcp/
As with almost every file in the EHCP software suite, the permissions are set to -rw-r--r--
http://<IP>/ehcp/
Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
-------
#2 Unauthenticated File upload
Unauthenticated file upload By browsing to any of the following four URLs, a remote attacker can upload any file which then is stored in a directory called /phptmpdir/ . It does not appear to validate either the user uploading nor the file type.
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
Access : Remote
Complexity : Low
Impact :
CWE-592: Authentication Bypass Issues
CWE-434: Unrestricted Upload of File
-------
#3 Information Disclosure
The following URL pathways can be remotely browsed to without authentication. They all give various amounts of information disclosure which exposes almost all of the underworking directory and functions of the Hosting software, SQL tables and database queries.
http://<IP>/ehcp/
http://<IP>/phpsysinfo
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/ehcp.sql
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/setup.sh
http://<IP>/ehcp/
http://<IP>/ehcp/smtpd.key
http://<IP>/ehcp/ssh2.sh
http://<IP>/ehcp/stats.php
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
http://<IP>/ehcp/
Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
http:// www.securityfoc us.com/ archive/ 1/537922
Disclosed