CVE-2019-13359
published 2019-07-16CVE-2019-13359: In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory…
PriorityP261high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
25.77%
97.7th percentile
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| control-webpanel | webpanel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of PHP session files (sess_*) in /tmp by non-root users, especially with content containing 'username|s:4:"root"' or 'logged|b:1', which indicates session forgery for privilege escalation. ↗
- →Detect HTTP requests to the CWP admin panel on port 2031 (https://<host>:2031/cwp_*/admin/index.php) accompanied by a 'cwsrp-*' cookie whose value references a /tmp/sess_* file crafted by a low-privileged user. ↗
- →Alert on chmod 664 or chmod 644 operations targeting /tmp/sess_* files, as the exploit requires relaxing permissions on the forged session file before the application resets them to 600. ↗
- →Monitor for outbound /dev/tcp reverse shell connections from the CWP server process (cwpsrv) to attacker-controlled IPs on port 8000, indicative of Method 1 exploitation. ↗
- →Detect file uploads to /tmp via the CWP File Manager (port 2083) where the uploaded filename matches the pattern sess_[a-zA-Z0-9]+ — a normal user abusing the file manager to plant a forged session. ↗
- ·The exploit is time-sensitive: the application automatically resets the forged session file permissions to 600 and zeroes it out. Detection windows are narrow and defenders should prioritize real-time file integrity monitoring on /tmp/sess_* rather than periodic scans. ↗
- ·The cookie name prefix 'cwsrp-' (exploit doc) differs slightly from the CVE description 'cwpsrv-'; detection rules should cover both variants to avoid blind spots. ↗
- ·Affected versions span 0.9.8.836 through 0.9.8.839; the fix was released on 2019-07-02. Ensure version checks in detection/asset inventory cover this full range. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153666/CentOS-Control-Web-Panel-0.9.8.836-Privilege-Escalation.htmlhttps://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13359.mdhttp://packetstormsecurity.com/files/153666/CentOS-Control-Web-Panel-0.9.8.836-Privilege-Escalation.htmlhttps://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13359.md
2019-07-16
Published