cPanel bug left website exposed to attacker takeover

A flaw in the UK's Eastern Inshore Fisheries and Conservation Authorities (IFCA) website could’ve allowed attackers to carry out a complete user account takeover. And in some cases even leading to threat actors appropriating control of the UK government website.

The website’s cPanel flaw can:

  • Impact user safety
  • Cause reputational damage
  • Provide tools for further attacks
  • Cause legal problems
  • Financially hurt the site’s owner

The Cybernews research team has discovered that a website owned by the British government was plagued with a reflected cross-site scripting (XSS) vulnerability.

The bug, tracked as CVE-2023-29489, can be exploited without any authentication in affected versions of cPanel, a popular web hosting control panel.

“Reflected XSS can directly impact users who interact with a vulnerable website. When executed, the injected code can lead to various malicious activities, such as stealing sensitive information,“ researchers said.

The now-fixed flaw impacted the website of Eastern IFCA, The organization is one of ten IFCAs that protect the inshore marine environment around the coasts of England.

We contacted Eastern IFCA for comment but did not receive a reply before publishing this article.

What is reflected cross-site scripting?

The reflected XSS bug somewhat resembles a mindless TV anchor. Imagine watching the evening news where a newscaster reads from the prompter.

Suppose a rogue TV station employee adds a line about the Moon crashing into Earth, and the reporter repeats the message without second-guessing its implications.

Similarly, reflected XSS attacks allow threat actors to inject malicious code into a website and masquerade it as a legitimate link from the vulnerable page. To avoid this, website applications typically sanitize and validate output before echoing user-provided data.

“By clicking a malicious link, a user logged in to cPanel could have triggered command execution, which can lead to sensitive data ending up on an attacker-controlled server,” researchers explained.

Why is reflected XSS dangerous?

According to our team, a reflected XSS attack could lead to attackers stealing cPanel login credentials, redirecting the site’s users to malicious websites, and manipulating website content, causing reputational damage to its owners.

“Exploitation of such vulnerabilities can lead to compromised user accounts, unauthorized access, and negative user experiences, which can significantly impact the credibility and reliability of a website,” researchers said.

Threat actors can also leverage the flaw for further attacks. Once a user’s session is compromised by injecting malicious code, attackers can use the newly stolen access to conduct further attacks on behalf of the user.

“Organizations that fail to address reflected XSS vulnerabilities may face legal consequences, especially in cases involving the mishandling of user data. Compliance with data protection regulations (e.g., GDPR) and industry standards become crucial to avoid penalties and maintain user privacy,” the team explained.

Reputational damage, customer dissatisfaction, legal action, and costs associated with remediation could also financially impact the website’s owners. In the case of Eastern IFCA, attackers could cause severe damage to the authorities’ reputation.

According to the team, the cPanel bug can be remediated by upgrading the following cPanel versions:

  • 11.109.9999.116