|Sentora / ZPanel Password Reset Vulnerability - VULHUB开源网络安全威胁库

Sentora / ZPanel Password Reset Vulnerability

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### Vulnerability Summary The following advisory describes a password reset found in Sentora / ZPanel. Sentora is “a free to download and use web hosting control panel developed for Linux, UNIX and BSD based servers or computers. The Sentora software can turn a domestic or commercial server into a fully fledged, easy to use and manage web hosting server”. ZPanel is a free to download and use Web hosting control panel written to work effortlessly with Microsoft Windows and POSIX (Linux, UNIX and MacOSX) based servers or computers. This solution can turn a home or professional server into a fully fledged, easy to use and manage web hosting server. ### Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor response Hostwinds was informed of the vulnerability, to which they response with “Zpanel is owned by Hostwinds but is no longer in production and has not been supported for some time now. We only keep it active as a legacy control panel and strongly discourage clients from using it. If you would like to continue to use it that is agreeable, but we are not able to offer any kind of support for it other than installing a different control panel over it.” Sentora was informed of the vulnerability on July 16 2017, while acknowledging the receipt of the vulnerability information, they failed to respond to the technical claims, provide a fix timeline or coordinate an advisory with us. ### Vulnerability details A design flaw in the way Sentora / ZPanel validate reset token allows an attacker to reset the victims password. The handler of “forgot password” functionality is: ``` [ sentora/inc/init.inc.php ] 43if (isset($_POST['inForgotPassword'])) { 44 runtime_csfr::Protect(); 45 $randomkey = runtime_randomstring::randomHash(); ... 53 $zdbh->exec("UPDATE x_accounts SET ac_resethash_tx = '" . $randomkey . "' WHERE ac_id_pk=" . $result['ac_id_pk'] . ""); ... 68 $phpmailer->Body = "Hi " . $result['ac_user_vc'] . ", 69 70You, or somebody pretending to be you, has requested a password reset link to be sent for your web hosting control panel login. 71 72If you wish to proceed with the password reset on your account, please use the link below to be taken to the password reset page. 73 74" . $protocol . $domain . "/?resetkey=" . $randomkey . " 75 76 77 "; ``` It generates reset token `ac_resethash_tx` and sends an email with reset link to the user. Then user returns via this link and fills the reset form: ``` [ sentora/inc/init.inc.php ] 84if (isset($_POST['inConfEmail'])) { ... 86 $sql = $zdbh->prepare("SELECT ac_id_pk FROM x_accounts WHERE ac_email_vc = :email AND ac_resethash_tx = :resetkey AND ac_resethash_tx IS NOT NULL AND ac_deleted_ts IS NULL"); ... 93 $crypto->SetPassword($_POST['inNewPass']); ... 99 $sql = $zdbh->prepare("UPDATE x_accounts SET ac_resethash_tx = '', ac_pass_vc = :password, ac_passsalt_vc = :salt WHERE ac_id_pk = :uid"); ``` Reset token is checked and if it matches the password it is set to requested new password and reset token is invalidated. The problem is that while invalidating the token it is not set to NULL as it should be, but instead it is set to empty string. This means that if user used password reset, anyone can reset his password again with empty token. We only need to know his email adress which is only used to identify the user, no email is sent to that address. ### Proof of Concept Usage: ``` resetagain.py http://target/ email newpassword [username] ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™