Digital Defense, Inc., a leader in vulnerability and threat management solutions, announced that its Vulnerability Research Team (VRT) exposed a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform.
cPanel & WHM is a suite of tools built for Linux OS that enables hosting providers and users the ability to automate server management and web hosting tasks. The software suite is currently used to manage above 70 million domains across the globe.
Many cPanel & WHM interfaces create URIs to other interfaces by incorporating user-supplied data in URI query parameters. These interfaces were using URL encoding on the parameters rather than URI encoding. Due to this fault, a cPanel & WHM user could be misled into performing actions they did not intend.
The cPanel &WHM version 11.90.0.5 (90.0 Build 5) exhibits a two-factor authentication bypass defect, susceptible to brute force attack.
An attacker with knowledge of or access to valid credentials could evade two-factor authentication protections on an account. Digital Defense’s in-house testing demonstrated that an attack will be get done in minutes.
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.” reads a security advisory released by the company.
This problem was addressed with the release of the following builds:
The Digital Defense, Vulnerability Research Team right away makes contact with the affected vendor to notify the organizati ..
Support the originator by clicking the read the rest link below.
