2FA Bypass Discovered In Web Hosting Software cPanel (zdnet.com) 9
An anonymous reader quotes a report from ZDNet: Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers. The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts. These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim's site.
On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world. But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA -- if 2FA was enabled for an account. While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today. Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner. The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.
On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world. But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA -- if 2FA was enabled for an account. While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today. Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner. The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.
Amazing the level of crud (Score:1)
why we put up with all the expense and crud of HTTP based web applications is beyond me?
25 years of plugging expensive security holes slower than new ones appear would have taught us by now.
Re: (Score:2)
You really cannot lay the blame for the many faults of cPanel at the feet of the various HTTP specifications.
A kick in the nuts (Score:2)
Watching closed source security software getting called out like this is like watching someone getting kicked in the nuts.
Of course it can happen with open source software, too, but nobody is trying to sell you false security, and not to mention how many more eyes there are looking for holes in the software.
Re: (Score:2)
but nobody is trying to sell you false security,
Except that is exactly what you are doing when you say
to mention how many more eyes there are looking for holes in the software.
Which immediately followed
Of course it can happen with open source software, too
So you start off by saying "It can happen to us" then throw out the tired line about "many eyes looking for holes" which is literally people trying to sell a false sense of security.
Re: (Score:2)
You have failed to process my comment in whole. You fail to comment in whole. Instead do you comment almost word by word, like a child, who is using its fingers to count. And you have manage to get the ordering wrong.
How young are you? Do your parents know you're using their Internet?
Website Design and Software developmen (Score:1)