Control Web Panel (CWP), formerly named CentOS Web Panel, is a Web based control panel for Linux servers used by admins and hosting users alike to manage their Web hosting services.
The cyber security company Octagon Networks recently audited CWP. They found remote command exploits using file inclusion and file write vulnerabilities.
The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities.
Another security firm, RACK911 Labs has audited CWP multiple times in the past. In 2019 they found it to have 22 security flaws.
We ended up finding another 22 flaws. The developer has been terrible at communicating and we have no ETA on patches yet.
CWP appears to have had acted quickly in this case. As of January 16, 2022 an update was issued to patch the exploit, but Octagon reports they found some have been able to “reverse the patch and exploit some servers”.
If history is any judge, CWP appears to have a real problem with keeping its software secure. There are free alternatives with good security, I suggest you give ISPConfig a try.
