Archive

• SQL Injection, Insufficient ACLs in Frappe Framework, Frappe Learning & Frappe Press

  Jan 30, 2025

  In this long-due post I describe some security vulnerabilities I found in Frappe Framework¹, Frappe Learning² and Frappe press³. While I did my best responsibly disclosing these vulnerabilities, the vendor was not very helpful in the process and did not communicate properly once the findings were sent their way.

  1. https://github.com/frappe/frappe ↩

  2. https://github.com/frappe/lms ↩

  3. https://github.com/frappe/press ↩

  ---

• Broken Authentication and Local File Inclusion (LFI) in '/api/FetchRemoteTransferStatus' endpoint - CyberPanel [7]

  Jan 22, 2024

  In CyberPanel versions between 1.7 (possibly earlier) and 2.3.4, the FetchRemoteTransferStatus() function used in ‘Remote Backups’ is missing sufficient authentication controls and is vulnerable to LFI.

  ---

• Insecure Generation and Storage of API tokens - CyberPanel [6]

  Jan 22, 2024

  In CyberPanel versions between 1.8.7 and 2.3.4, the user API tokens are insecurely generated using the Base64 transform of the plaintext username and password credentials.

  ---

• Bypass of Security Controls in `commandInjectionCheck()` - CyberPanel [5]

  Jan 22, 2024

  In CyberPanel versions between 1.9.4 through 2.3.4, the security controls implemented in the commandInjectionCheck() function were missing checks for specific forbidden special characters, resulting in command injection.

  ---

• Security Middleware Bypass - CyberPanel [4]

  Jan 22, 2024

  In CyberPanel versions 2.1.1 through 2.3.4 the Security Middleware mechanism is making security decisions by relying on incorrect order of analysis and incomplete set of forbidden special characters.

  ---

• Authentication Bypass in File Manager's Upload Functionality - CyberPanel [3]

  Jan 22, 2024

  In CyberPanel versions between 2.3.1 and 2.3.4, the File Manager’s Upload functionality is susceptible to an authentication bypass vulnerability.

  ---

• Authentication Bypass and Local File Inclusion (LFI) in CloudAPI - CyberPanel [2]

  Jan 22, 2024

  In CyberPanel versions between 1.8.7 and 2.3.4, the CloudAPI statusFunc() function is not protected by an authentication mechanism, and is susceptible to a Local File Inclusion (LFI) vulnerability.

  ---

• WebTerminal Authentication Bypass - CyberPanel [1]

  Jan 22, 2024

  In CyberPanel versions between 1.9.2 and 2.1.1, the WebTerminal functionality is susceptible to an authentication bypass vulnerability. Unauthenticated attackers could exploit this vulnerability to gain root shell access in the underlying CyberPanel host. Through the elevated access privileges, an attacker could achieve complete control over the data, user accounts, and websites in the compromised CyberPanel instance.

  ---

• Multiple Vulnerabilities in CyberPanel

  Jan 22, 2024

  In this post I write briefly about the discovery of multiple security vulnerabilities in CyberPanel. Further details on the individual findings are provided separately in dedicated posts.

  ---