Directory Traversal vulnerability in Mgt-commerce CloudPanel v.2.0.0 thru v.2.4.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the service parameter of the load-logfiles function.
Hello everyone, I’m back with new vulnerability research on a CloudPanel! This time, I’ve discovered an unfiltered parameter in the log file viewer. This parameter allows for path traversal, which can lead to the exposure of user session tokens. What can we do with these session tokens? Hijack them, of course! Haha. By exposing a list of user tokens, we can hijack any user session, gaining access to their websites and data.
Patched version : v2.4.1
Unfortunately, I don’t have a detailed technical write-up to share here, but I do have a Proof of Concept video below. Enjoy!
