Security researchers of the information security company Digital Defense have discovered a serious vulnerability in the site management software cPanel, which is very popular with hosting companies. With its help, an attacker can bypass the two-factor authentication mechanism implemented in cPanel to protect accounts.
CPanel accounts are used by site owners to access and manage site and server settings. Account access is critical, and if an attacker succeeds in gaining it, he can take full control of the victim’s site.
According to developer cPanel, the software is currently used by hundreds of web hosting companies to manage more than 70 million domains around the world.
As reported by Digital Defense researchers, the implementation of two-factor authentication in older versions of cPanel & WebHost Manager (WHM) is vulnerable to brute force attacks. An attacker could brute-force URL parameters and bypass two-factor authentication if enabled to protect the account.
While brute-force attacks usually take several hours, if not days, in this case, the attack takes only a few minutes. To exploit the vulnerability, an attacker must have valid cPanel credentials (obtained through phishing).
Researchers informed the developer of the vulnerability and the patch was released last week. The issue has been fixed in cPanel & WHM versions 11.92.0.2, 11.90.0.17 and 11.86.0.32.