[原文]Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens.
cPanel is prone to an HTML injection vulnerability. It is possible for remote attacks to include hostile HTML and script code in requests to cPanel, which will be logged. When logs are viewed by an administrative user, the injected code could be rendered in their browser in the context of the site hosting cPanel.
GET /<script>alert(document.cookie);</script> HTTP/1.0
cPanel contains a flaw that allows a remote attacker to embed malicious HTML tags in HTTP requests which will be processed by the administrative interface. The issue is due to malicious requests being logged without sanitizing and being passed to the error log screen or latest visitor screen. This could allow a user to create a specially crafted URL that would execute arbitrary code in
a user's browser within the trust relationship between the browser and the
server, leading to a loss of integrity.
Upgrade to version 7.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.