Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-disclosure] Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via script injection.
From: Zackarin Smitz (zackerius12linuxmail.org)
Date: Mon Jun 06 2005 - 00:57:55 CDT
Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via script injection.
High; Full access to all client functions can be obtained with little effort, putting entire installations of the software and its users at risk.
(Taken from http://www.lpanel.net/)
Lpanel is a Complete Web Hosting Billing & Automation Suite that installs over cPanel, WHM.
Created from the ground up from cPanel by web hosting administrators, Lpanel has everything a cPanel hosting business needs and will ever need. Constantly expanding to meet the quickly developing web hosting market, Lpanel is the only complete management solution available today for cPanel web hosts. From multi-staff tiers, automated signups, reseller management, network utilities, automated SSL, as well as a full array of “Added Services” and detailed efficiency reports - Lpanel is always steps ahead of the rest.
This bug can be fixed by securing the “pid” variable before use. An alternative workaround would be to use another vendor, that secures user input. Perhaps this vulnerability would've been caught in the initial stages of development had the product been released open source, making case for one to seek out an open source solution, or at least a solution with a better proven track record. “Lpanel is always steps ahead of the rest.” -- Negative.
Email: saleslpanel.net (I was unable to find a more relevant email contact)
PO Box 940876
Miami, Florida 33194-0056
Vendor Notified: June 6, 2005
Public Release: June 6, 2005
About the Author:
The author is in between life paths at the moment, but is currently a software engineer at a company to remain unnamed. When not at his computer, the author enjoys doing a great many things, most of which he has lost all time for, or lacks people to do those things with in his current lifestyle. As such he finds more time for work, or just visits Blockbuster, and when all else fails, fabricates reports such as this.
The author is posting this message anonymously in order to avoid potential legal consequences, although he is having trouble seeing any potential consequences as feasible, considering the vendor does not release a plain-text version of their license (the license is actually encoded, and when viewed, renders a PHP parse error).
I'd like to say hi to the team with which I work; you're all great. I'd also like to say hello to swoolley and tautology.
Check out the latest SMS services http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/