Improper Access Control in alanaktion/mchostpanel

Valid

Reported on

Sep 10th 2021


✍️ Description

The php file install.php creates an admin account using POST parameter user, pass, dir, ram, port without any access control enforced nor check if the admin account has been created nor check if the file .installed exists before account creation.

It is possible for any network user who can access install.php to create a high privileged account, compromising the integrity and confidentiality of the application.

Remediation

Check if file .installed exists before creating admin account.

We have contacted a member of the alanaktion/mchostpanel team and are waiting to hear back 3 months ago
Alan Hardman validated this vulnerability 3 months ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman
3 months ago

Maintainer


Thanks for all the detail in the report, it is really helpful to quickly verify the issue.

I was apparently much worse at web dev many years ago. Only checking for the file when rendering the HTML is incredibly dumb.

Viky submitted a
3 months ago
Viky
3 months ago

Researcher


Hopefully this fixes the issue.

Alan Hardman confirmed that a fix has been merged on 8ecb8a 3 months ago
Viky has been awarded the fix bounty
install.php#L4-L9 has been validated
Viky
3 months ago

Researcher


@admin give me a cve please <3

Jamie Slome
3 months ago

Admin


@vikychoi - we cannot assign a CVE here as this software is not distributable through a package or distribution mechanism.