External XML entity injection in WHM locale upload interface.

The WHM/cPanel XML locale file uploads allowed the processing of external XML entities. This would permit resellers with the ‘locale-edit’ ACL to read any files on the system, make arbitrary network connections, and can also DoS the server with the billion laughs attack.

Fixed Version:
This issue is resolved in the following builds:

11.42.0.23
11.40.1.13
11.38.2.23

cPanel rewarded me $1000 for reporting this vulnerability 🙂

External XML entity injection in WHM locale upload interface.

One thought on “External XML entity injection in WHM locale upload interface.

  • June 18, 2015 at 1:16 pm
    Permalink

    Great Mr Prajith!!!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fork me on GitHub