CtrlPanel Missing Authorization on Admin Datatable Endpoints Allows Unauthorized Access to Sensitive Data

A vulnerability exists in CtrlPanel billing software for hosting providers, in versions through 1.1.1. Multiple admin controllers expose DataTable endpoints without proper authorization checks, allowing any authenticated user to access sensitive administrative data meant for administrators only. The affected endpoints, reachable via GET requests, lack permission verification, creating an assumption of protection due to their '/admin/' route prefix. Exploitation of this vulnerability can lead to unauthorized access to user personal information, payment and transaction records, active voucher and coupon codes, role and permission structures, server ownership mappings, and support ticket contents.

Impact

Exploitation allows authenticated users to access sensitive administrative data, including personal information of all registered users, payment and transaction records, active voucher and coupon codes, role and permission structures, server ownership mappings, and support ticket contents.

Reproduction

To reproduce this vulnerability, log in as a regular (non-admin) user and send a GET request to one of the exposed DataTable endpoints, such as '/admin/users/datatable'. Include a valid session cookie in the request. The response will contain a JSON DataTable payload with sensitive information, such as email addresses and IP addresses of registered users. This exploitation method applies to all affected endpoints listed in the vulnerability advisory.

Remediation

Update to CtrlPanel version 1.2.0, which includes the necessary authorization checks for the affected DataTable endpoints.