ZPanel Command Execution Vulnerability in htpasswd Module

A remote command execution vulnerability exists in ZPanel versions through 10.0.0.2, specifically within the htpasswd module. The issue arises when .htaccess files are created, as the inHTUsername field is sent to a system() call without proper sanitization, allowing authenticated attackers to inject shell metacharacters and execute arbitrary commands. Exploitation requires a valid ZPanel account in the default Users, Resellers, or Administrators groups, but no elevated privileges are needed.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server with the privileges of the web server user.

Reproduction

To reproduce this vulnerability, log into ZPanel with a user account that has access to the htpasswd module. Once logged in, navigate to the htpasswd module and select the option to create a new .htaccess file. In the 'Username' field, inject a command payload, including the necessary shell metacharacters to execute a command of choice. After submitting the form, the injected command will be executed on the server.

Remediation

ZPanel users are advised to disable the htpasswd module until a patch can be applied. ZPanel developers have acknowledged the vulnerability and are working on a fix.