Feeds

cPanel, Netgear and Linksys susceptible to nasty attack

Unholy trinity

Beginner's guide to SSL certificates

Defcon If you use cPanel to administer your website or certain Linksys or Netgear devices to route traffic over your wireless network, you're susceptible to web-based attacks that could take complete control of your systems, two security researchers said Saturday.

All three wares contain CSRF, or cross-site request forgery, holes that can be exploited when the user does nothing more than surf to the wrong site. Web-application security experts Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org said they've alerted officials at all three companies to the weaknesses and so far all have failed to fix them.

"CSRF is bad stuff," Bailey told a standing-room-only audience at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means that we have these kinds of holes all over."

CSRF attacks are web-based sleights of hand that exploit the trust sensitive web-based services have in users who have previously logged in. Third-party websites under the control of a CSRF attack permit these users to take actions they never intended, such as executing online financial transactions or revealing passwords. Because the user is already logged in, no password is necessary.

The vulnerability in cPanel is triggered by luring a user to a malicious website while logged in to the program, which is one of the most widely used web-hosting applications. The attack is able to trick cPanel into carrying out sensitive commands by making it appear as if they came from the victim.

"If you logged in as root and you hit my website or you hit any website I control, I can do anything I want," Bailey said. "I can reset your root password, I can upgrade software, I can modify any setting I want. That's scary and that's bad."

Even more troubling, Bailey continued, was the reply he got when he notified cPanel officials of the bug. "The response I got from cPanel was we can't fix this because it's a feature. Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."

Representatives from cPanel, Netgear and Linksys weren't immediately available for comment. This article will be updated if they can be reached and provide a response.

The CSRF attacks also affect the WRT160N model router made by Linksys. If you happen to be logged in to its administration page and surf to the wrong site, it can be hijacked. A similar vulnerability affects Netgear's RP614v4, said McRee, who posted a video available here that shows an exploit in action. What's more, because router vendors use the same code base across their product lineups, it's likely additional models are vulnerable, he said.

The attacks are difficult to prevent. While the NoScript extension for Firefox blocks a significant number of web-based attacks, Bailey described a now-fixed vulnerability in ESPN.com that could have allowed customer profiles to be hijacked that he said the plugin was powerless to stop.

Defcon attendee and security researcher Justin Samuel said a Firefox extension called RequestPolicy blocks the vast majority of CSRF attacks, and while we have no reason to doubt that, we haven't had a chance to verify the claim.

A longer-term and more comprehensive fix may come in the form of a specification proposed by the Mozilla foundation. It would allow banks, merchants and other organizations with sensitive websites to define certain security policies that would be carried out by the browser. For example, site developers could list an explicit set of domains allowed to issue javascript, so that code embedded in sites that aren't specifically white-listed would not be executed.

Other mitigation strategies that can help tame the CSRF (often pronounced "sea surf") menace include the use of CAPTCHAs and re-authentication scripts.

Of course, the best defense is for vendors to fix their buggy products, but as the researchers reported, that doesn't always happen. ®

Update

cPanel has published this response on its website that says in part: "Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified."

The company reminds users to protect themselves by taking the following measures:

  • Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
  • Avoid opening SPAM, Websites, or clicking on links that you do not trust especially URL shortening services found on many social media sites.
  • Update your current passwords within cPanel on a regular basis and maintain strong password discipline.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.