Feeds

cPanel, Netgear and Linksys susceptible to nasty attack

Unholy trinity

Security for virtualized datacentres

Defcon If you use cPanel to administer your website or certain Linksys or Netgear devices to route traffic over your wireless network, you're susceptible to web-based attacks that could take complete control of your systems, two security researchers said Saturday.

All three wares contain CSRF, or cross-site request forgery, holes that can be exploited when the user does nothing more than surf to the wrong site. Web-application security experts Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org said they've alerted officials at all three companies to the weaknesses and so far all have failed to fix them.

"CSRF is bad stuff," Bailey told a standing-room-only audience at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means that we have these kinds of holes all over."

CSRF attacks are web-based sleights of hand that exploit the trust sensitive web-based services have in users who have previously logged in. Third-party websites under the control of a CSRF attack permit these users to take actions they never intended, such as executing online financial transactions or revealing passwords. Because the user is already logged in, no password is necessary.

The vulnerability in cPanel is triggered by luring a user to a malicious website while logged in to the program, which is one of the most widely used web-hosting applications. The attack is able to trick cPanel into carrying out sensitive commands by making it appear as if they came from the victim.

"If you logged in as root and you hit my website or you hit any website I control, I can do anything I want," Bailey said. "I can reset your root password, I can upgrade software, I can modify any setting I want. That's scary and that's bad."

Even more troubling, Bailey continued, was the reply he got when he notified cPanel officials of the bug. "The response I got from cPanel was we can't fix this because it's a feature. Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."

Representatives from cPanel, Netgear and Linksys weren't immediately available for comment. This article will be updated if they can be reached and provide a response.

The CSRF attacks also affect the WRT160N model router made by Linksys. If you happen to be logged in to its administration page and surf to the wrong site, it can be hijacked. A similar vulnerability affects Netgear's RP614v4, said McRee, who posted a video available here that shows an exploit in action. What's more, because router vendors use the same code base across their product lineups, it's likely additional models are vulnerable, he said.

The attacks are difficult to prevent. While the NoScript extension for Firefox blocks a significant number of web-based attacks, Bailey described a now-fixed vulnerability in ESPN.com that could have allowed customer profiles to be hijacked that he said the plugin was powerless to stop.

Defcon attendee and security researcher Justin Samuel said a Firefox extension called RequestPolicy blocks the vast majority of CSRF attacks, and while we have no reason to doubt that, we haven't had a chance to verify the claim.

A longer-term and more comprehensive fix may come in the form of a specification proposed by the Mozilla foundation. It would allow banks, merchants and other organizations with sensitive websites to define certain security policies that would be carried out by the browser. For example, site developers could list an explicit set of domains allowed to issue javascript, so that code embedded in sites that aren't specifically white-listed would not be executed.

Other mitigation strategies that can help tame the CSRF (often pronounced "sea surf") menace include the use of CAPTCHAs and re-authentication scripts.

Of course, the best defense is for vendors to fix their buggy products, but as the researchers reported, that doesn't always happen. ®

Update

cPanel has published this response on its website that says in part: "Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified."

The company reminds users to protect themselves by taking the following measures:

  • Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
  • Avoid opening SPAM, Websites, or clicking on links that you do not trust especially URL shortening services found on many social media sites.
  • Update your current passwords within cPanel on a regular basis and maintain strong password discipline.

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.