Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to open any support ticket within the system.

["Zackarin Smitz" <zackerius12 () linuxmail org>]

Subject:
Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to open any 
support ticket within the system.


Severity:
Average; This vulnerability can do little more than frustrate clients and support desk maintainers of a system, but can 
be considered of high severity considering how annoyed clients would be in having administrators lose all track of what 
support tickets were open and needing replies.


Preamble:
(Taken from http://www.lpanel.net/)
Lpanel is a Complete Web Hosting Billing & Automation Suite that installs over cPanel, WHM.

Created from the ground up from cPanel by web hosting administrators, Lpanel has everything a cPanel hosting business 
needs and will ever need. Constantly expanding to meet the quickly developing web hosting market, Lpanel is the only 
complete management solution available today for cPanel web hosts. From multi-staff tiers, automated signups, reseller 
management, network utilities, automated SSL, as well as a full array of “Added Services” and detailed efficiency 
reports - Lpanel is always steps ahead of the rest.


Problem:
This vulnerability is very similar to the vulnerability with the “close” get variable. Lpanel.NET's Lpanel is 
vulnerable to the unauthorized closing of any support ticket on the system. The “open” GET variable of view_ticket.php 
(i.e. http://yourdomain.com/lpanel/help/view_ticket.php?open=50) is not checked in any way before being sent to a SQL 
query that renders a support ticket opened in the database. Thus, an attacker with a user account on the system could 
open any or all support tickets on the system, regardless of who owns the support ticket, as the support ticket ID is 
an automatically incremented field, and not checked against the currently logged in user's user ID.


Workaround:
This bug can be fixed by checking that the currently logged in user owns the ticket identified by the “open” GET 
variable before actually closing the support ticket.


Vendor Contact:
Lpanel.NET's Lpanel
URL: http://www.lpanel.net/
Email: sales () lpanel net (I was unable to find a more relevant email contact)
Mailing Address:
  Lpanel.NET
  PO Box 940876
  Miami, Florida 33194-0056
  United States
Phone: 614-441-4838


Disclosure Timeline:
Vendor Notified: June 6, 2005
Public Release: June 6, 2005


About the Author:
The author is in between life paths at the moment, but is currently a software engineer at a company to remain unnamed. 
When not at his computer, the author enjoys doing a great many things, most of which he has lost all time for, or lacks 
people to do those things with in his current lifestyle. As such he finds more time for work, or just visits 
Blockbuster, and when all else fails, fabricates reports such as this.

The author is posting this message anonymously in order to avoid potential legal consequences, although he is having 
trouble seeing any potential consequences as feasible, considering the vendor does not release a plain-text version of 
their license (the license is actually encoded, and when viewed, renders a PHP parse error).


Greets:
I'd like to say hi to the team with which I work; you're all great. I'd also like to say hello to swoolley and 
tautology.

-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/