/

Improper Access Control in alanaktion/mchostpanel

Valid

Reported on

Sep 10th 2021

✍️ Description

The php file install.php creates an admin account using POST parameter user, pass, dir, ram, port without any access control enforced nor check if the admin account has been created nor check if the file .installed exists before account creation.

It is possible for any network user who can access install.php to create a high privileged account, compromising the integrity and confidentiality of the application.

Remediation

Check if file .installed exists before creating admin account.

Occurrences

install.php L4-L9

We have contacted a member of the alanaktion/mchostpanel team and are waiting to hear back 2 years ago

Alan Hardman validated this vulnerability 2 years ago

Viky has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Maintainer

Thanks for all the detail in the report, it is really helpful to quickly verify the issue.

I was apparently much worse at web dev many years ago. Only checking for the file when rendering the HTML is incredibly dumb.

Viky submitted a

2 years ago

commented 2 years ago

Researcher

Hopefully this fixes the issue.

Alan Hardman marked this as fixed with commit 8ecb8a 2 years ago

Viky has been awarded the fix bounty

This vulnerability will not receive a CVE

install.php#L4-L9 has been validated

commented 2 years ago

Researcher

@admin give me a cve please <3

commented 2 years ago

Admin

@vikychoi - we cannot assign a CVE here as this software is not distributable through a package or distribution mechanism.

to join this conversation

We have contacted a member of the alanaktion/mchostpanel team and are waiting to hear back 2 years ago

Alan Hardman validated this vulnerability 2 years ago

Viky has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Maintainer

Thanks for all the detail in the report, it is really helpful to quickly verify the issue.

I was apparently much worse at web dev many years ago. Only checking for the file when rendering the HTML is incredibly dumb.

Viky submitted a

2 years ago

commented 2 years ago

Researcher

Hopefully this fixes the issue.

Alan Hardman marked this as fixed with commit 8ecb8a 2 years ago

Viky has been awarded the fix bounty

This vulnerability will not receive a CVE

install.php#L4-L9 has been validated

commented 2 years ago

Researcher

@admin give me a cve please <3

commented 2 years ago

Admin

@vikychoi - we cannot assign a CVE here as this software is not distributable through a package or distribution mechanism.

to join this conversation