CyberPanel Command Execution Vulnerability via Symlink Attack

A remote code execution vulnerability has been identified in CyberPanel version 2.1. This issue allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, access sensitive files such as database credentials, and execute arbitrary shell commands via the /websites/fetchFolderDetails endpoint.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the /filemanager/controller endpoint with a crafted completeStartingPath parameter that creates a symbolic link to a sensitive file. After the symlink is established, the same endpoint can be used to read the contents of the linked file. Additionally, the /websites/fetchFolderDetails endpoint can be used to execute arbitrary commands by including them in the request.