Attack Chain

1. The attacker authenticates to the CyberPanel web interface.
2. The attacker crafts a POST request to /filemanager/controller.
3. The POST request includes a manipulated completeStartingPath parameter, designed to create a symbolic link to a sensitive file (e.g., /etc/shadow or database configuration files).
4. CyberPanel creates the symlink based on the attacker-supplied path.
5. The attacker crafts a request to /websites/fetchFolderDetails.
6. This request leverages the previously created symlink to access the target file.
7. CyberPanel reads the contents of the file pointed to by the symlink and returns it to the attacker, or executes a command.
8. The attacker gains access to sensitive information, or executes arbitrary commands on the server.

Impact

Successful exploitation of this vulnerability (CVE-2021-47949) allows attackers to read arbitrary files on the server, potentially gaining access to sensitive data such as database credentials, configuration files, and private keys. Furthermore, the attacker can execute arbitrary shell commands, leading to complete system compromise, data exfiltration, and denial-of-service. While the number of victims is not specified, any CyberPanel 2.1 instance exposed to authenticated attackers is at risk.

Recommendation

• Deploy the Sigma rule “Detect CyberPanel CVE-2021-47949 Exploitation Attempt” to your SIEM to identify potential exploitation attempts based on HTTP POST requests to the /filemanager/controller endpoint.
• Deploy the Sigma rule “Detect CyberPanel CVE-2021-47949 fetchFolderDetails” to your SIEM to identify potential exploitation attempts based on HTTP requests to the /websites/fetchFolderDetails endpoint.
• Monitor web server logs for suspicious POST requests to /filemanager/controller containing unusual completeStartingPath parameters, as described in the attack chain.