Easy Hosting Control Panel (EHCP) SQL Injection Vulnerability in Version 20.04.1.b

A SQL injection vulnerability has been identified in Easy Hosting Control Panel (EHCP) version 20.04.1.b. The issue arises in the listdomains function, where the arananalan POST parameter is insufficiently validated. This vulnerability allows authenticated attackers to inject malicious SQL queries via the /index.php?op=listdomains endpoint. Exploitation of this vulnerability could lead to unauthorized access and manipulation of database contents.

Impact

Exploitation of this vulnerability allows authenticated attackers to perform SQL injection, with the potential to access or manipulate database contents. This could lead to unauthorized access and a full compromise of the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /index.php?op=listdomains endpoint with a crafted arananalan parameter. The injected SQL payload can exploit the vulnerability using error-based, time-based blind, or UNION-based techniques to manipulate or extract database information.