CtrlPanel Stored Cross-Site Scripting Vulnerability in Admin Role Management

A stored cross-site scripting vulnerability has been identified in CtrlPanel billing software for hosting providers, affecting versions through 1.1.1. The issue resides in the admin role management interface, specifically within the 'datatable()' method of the RoleController. Here, role names and color values are directly inserted into a <span> element's HTML and style attribute without proper sanitization. This unescaped data is rendered as raw HTML by DataTables, allowing an admin with the ability to create or edit roles to inject malicious scripts. Once saved, these scripts execute in the browsers of all admins who access the roles page, potentially leading to session hijacking, credential theft, unauthorized admin actions, and a persistent backdoor until the malicious role is deleted.

Impact

Exploitation allows for session hijacking, credential harvesting, unauthorized administrative actions on behalf of other admins, and a persistent backdoor that executes the injected script on every page load until the malicious role is removed.

Reproduction

To reproduce this vulnerability, an admin with role creation or editing permissions should navigate to the role management interface. In the name or color fields, they can inject a payload, such as an image tag with an 'onerror' event, which will be executed as a script when the role is saved and the roles page is accessed.

Remediation

The vulnerability has been patched in CtrlPanel version 1.2.0. Users should update to this version. For those maintaining a version prior to 1.2.0, the vulnerability can be manually addressed by escaping user-controlled values before embedding them into HTML, using Laravel's 'e()' helper.