qcred11
Jun 5 2004, 06:22 PM
cPanel 'killacct' May Let Remote Authenticated Administrators Delete Accounts Belonging to Other Administrators
| QUOTE |
A vulnerability was reported in cPanel. A remote authenticated administrator can delete DNS information for other accounts belonging to other customers.
qbann targ reported that a remote authenticated administrator can invoke '/scripts/killacct' to delete the DNS information for other customer accounts that are not the administrator's customer accounts. This can reportedly be achieved by setting a specially crafted cookie of the following form:
:2086/scripts/killacct?domain=(domain)&user=(user)&submit-domain=Terminate
The report credits verb0s with discovering this flaw.
|
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
