CVE-2024-56112
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in CyberPanel allows attackers to inject malicious scripts via token or username parameters in the phpmyadminsignin.php page. When exploited, this can lead to session hijacking, credential theft, or unauthorized actions. All CyberPanel installations before commit f0cf648 are affected.
💻 Affected Systems
- CyberPanel
📦 What is this software?
Cyberpanel by Cyberpanel
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, gain full control of the CyberPanel instance, compromise hosted websites, and potentially pivot to underlying servers.
Likely Case
Session hijacking leading to unauthorized access to CyberPanel administration functions, data exfiltration, or defacement of hosted websites.
If Mitigated
Limited impact due to proper input validation, output encoding, and Content Security Policy (CSP) headers preventing script execution.
🎯 Exploit Status
XSS vulnerabilities are commonly weaponized. The vulnerability requires user interaction (victim visiting malicious link) but exploitation is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit f0cf648c7851c96c36bb0c390d13e60931f45900
Vendor Advisory: https://github.com/usmannasir/cyberpanel/commit/f0cf648c7851c96c36bb0c390d13e60931f45900
Restart Required: No
Instructions:
1. Update CyberPanel to latest version using 'sh <(curl https://cyberpanel.net/install.sh || wget -O - https://cyberpanel.net/install.sh)' 2. Alternatively, apply commit f0cf648 manually to plogical/phpmyadminsignin.php 3. Clear browser caches after update
🔧 Temporary Workarounds
Input Validation Filter
linuxAdd server-side validation to sanitize token and username parameters
Modify plogical/phpmyadminsignin.php to filter special characters from GET/POST parameters
Access Restriction
linuxRestrict access to phpmyadminsignin.php via firewall or web server configuration
iptables -A INPUT -p tcp --dport 80 -m string --string "phpmyadminsignin.php" --algo bm -j DROP
Add location block in nginx: location ~* phpmyadminsignin\.php { deny all; }
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) with XSS protection rules
- Deploy Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Test by accessing CyberPanel and checking if version is older than commit f0cf648. Attempt XSS payload in token/username parameters.Check Version:
grep -r "f0cf648" /usr/local/CyberPanel/ || cyberpanel --versionVerify Fix Applied:
Verify commit f0cf648 is present in installation. Test that XSS payloads no longer execute in phpmyadminsignin.php.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to phpmyadminsignin.php with script tags or JavaScript in parameters
- Multiple failed login attempts with malicious payloads
Network Indicators:
- HTTP requests containing <script>, javascript:, or encoded XSS payloads in URL parameters
SIEM Query:
source="*access.log*" AND ("phpmyadminsignin.php" AND ("<script" OR "javascript:" OR "%3Cscript"))