cbcvebase.
CVE-2018-18323
published 2018-10-15

CVE-2018-18323: CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../…

PriorityP270high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
70.74%
99.3th percentile
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
control-webpanelwebpanel

Detection & IOCsextracted from sources · hover to see the quote

url/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd
url/admin/index.php?service_start=opendkim;expr 268409241 - 2;x
url/admin/index.php?service_restart=sshd;expr 268409241 - 2;x
url/admin/index.php?service_fullstatus=opendkim;expr 268409241 - 2;x
url/admin/index.php?service_stop=named;expr 268409241 - 2;x
path/admin/index.php
  • Detect LFI attempts targeting the file_editor module via directory traversal in the 'file' GET parameter — look for patterns like `module=file_editor&file=/../` or URL-encoded equivalents `%2f..%2f` in requests to /admin/index.php.
  • Detect command injection attempts via GET parameters service_start, service_restart, service_fullstatus, and service_stop — look for semicolons or shell metacharacters injected into these parameters in requests to /admin/index.php.
  • Use Shodan/FOFA queries to identify exposed CWP instances as potential targets: Shodan query `http.title:"login | control webpanel"`, FOFA query `title="login | control webpanel"`.
  • The CWP server identifies itself via the `Server: cwpsrv` response header — use this to fingerprint vulnerable instances in network traffic.
  • Successful LFI exploitation returns file metadata and contents inline in the HTML response body, e.g. 'File info [stats]:' followed by file permissions and 'Contents of File:' — monitor HTTP responses for this pattern.
  • Successful blind command injection is confirmed by a numeric result appearing in a WARNING banner in the HTML response body — monitor for `WARNING! <number>` patterns in responses to /admin/index.php service_* parameter requests.
  • ·The exploit was tested on CentOS 7 with CWP version 0.9.8.480 specifically; other versions may not be vulnerable or may behave differently.
  • ·The Nuclei template detection relies on a regex match for `root:[x*]:0:0` in the HTTP 200 response body, meaning detection only fires if /etc/passwd is successfully read — it will not catch failed or partial exploitation attempts.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.