Feeds

cPanel, Netgear and Linksys susceptible to nasty attack

Unholy trinity

5 things you didn’t know about cloud backup

Defcon If you use cPanel to administer your website or certain Linksys or Netgear devices to route traffic over your wireless network, you're susceptible to web-based attacks that could take complete control of your systems, two security researchers said Saturday.

All three wares contain CSRF, or cross-site request forgery, holes that can be exploited when the user does nothing more than surf to the wrong site. Web-application security experts Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org said they've alerted officials at all three companies to the weaknesses and so far all have failed to fix them.

"CSRF is bad stuff," Bailey told a standing-room-only audience at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means that we have these kinds of holes all over."

CSRF attacks are web-based sleights of hand that exploit the trust sensitive web-based services have in users who have previously logged in. Third-party websites under the control of a CSRF attack permit these users to take actions they never intended, such as executing online financial transactions or revealing passwords. Because the user is already logged in, no password is necessary.

The vulnerability in cPanel is triggered by luring a user to a malicious website while logged in to the program, which is one of the most widely used web-hosting applications. The attack is able to trick cPanel into carrying out sensitive commands by making it appear as if they came from the victim.

"If you logged in as root and you hit my website or you hit any website I control, I can do anything I want," Bailey said. "I can reset your root password, I can upgrade software, I can modify any setting I want. That's scary and that's bad."

Even more troubling, Bailey continued, was the reply he got when he notified cPanel officials of the bug. "The response I got from cPanel was we can't fix this because it's a feature. Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."

Representatives from cPanel, Netgear and Linksys weren't immediately available for comment. This article will be updated if they can be reached and provide a response.

The CSRF attacks also affect the WRT160N model router made by Linksys. If you happen to be logged in to its administration page and surf to the wrong site, it can be hijacked. A similar vulnerability affects Netgear's RP614v4, said McRee, who posted a video available here that shows an exploit in action. What's more, because router vendors use the same code base across their product lineups, it's likely additional models are vulnerable, he said.

The attacks are difficult to prevent. While the NoScript extension for Firefox blocks a significant number of web-based attacks, Bailey described a now-fixed vulnerability in ESPN.com that could have allowed customer profiles to be hijacked that he said the plugin was powerless to stop.

Defcon attendee and security researcher Justin Samuel said a Firefox extension called RequestPolicy blocks the vast majority of CSRF attacks, and while we have no reason to doubt that, we haven't had a chance to verify the claim.

A longer-term and more comprehensive fix may come in the form of a specification proposed by the Mozilla foundation. It would allow banks, merchants and other organizations with sensitive websites to define certain security policies that would be carried out by the browser. For example, site developers could list an explicit set of domains allowed to issue javascript, so that code embedded in sites that aren't specifically white-listed would not be executed.

Other mitigation strategies that can help tame the CSRF (often pronounced "sea surf") menace include the use of CAPTCHAs and re-authentication scripts.

Of course, the best defense is for vendors to fix their buggy products, but as the researchers reported, that doesn't always happen. ®

Update

cPanel has published this response on its website that says in part: "Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified."

The company reminds users to protect themselves by taking the following measures:

  • Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
  • Avoid opening SPAM, Websites, or clicking on links that you do not trust especially URL shortening services found on many social media sites.
  • Update your current passwords within cPanel on a regular basis and maintain strong password discipline.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.