CVE-2024-54679 - CyberPanel (aka Cyber Panel) Denial of Service# CVE-2024-54679
CVE-2024-54679 - CyberPanel (aka Cyber Panel) Denial of Service
## Description
A denial of service (DoS) vulnerability was discovered in Cyber Panel that allows any authenticated user to restart the database by sending requests to the `/dataBases/restartMySQL` endpoint. This vulnerability occurs in the `restartMySQL` function in the `Cyberpanel/databases/views.py` file at line 400, where the action is executed before checking user permissions (ACL). The function first retrieves the user ID from the session (authentication check), then calls the `restartMySQL` method from the `mysqlUtilities` class, which executes the database restart command (`sudo systemctl restart mariadb`). Only after this action does it check if the user is an admin. This lack of an ACL check before executing the restart makes the endpoint accessible to any authenticated user. An attacker with a low-privilege account could exploit this by repeatedly sending requests to the endpoint, causing the database to crash and resulting in a denial of service.
## Affected Versions
CyberPanel (aka Cyber Panel) Versions through 2.3.7 and (unpatched) 2.3.8
## Steps to Reproduce
- Login on CyberPanel using a low privileged user account.
- Send a request to `/dataBases/restartMySQL` endpoint to restart the database.
- Configure burpsuite and send the request to intruder tab.
- In intruder, select Null payloads and run attack indefinitely.
- Observe that the database is crashed and CyberPanel is unavailable.
## Proof of concept
## Demo: https://www.youtube.com/watch?v=f2M5wI875Uk
*Vulnerable code*
*mysqlUtilities.restartMySQL method*
## References
- National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-54679
- Patch Commit: https://github.com/usmannasir/cyberpanel/commit/6778ad1eaae41f72365da8fd021f9a60369600dc
## Discoverer
Abdul Wassay (hotplugin0x01)
[4.0K] /data/pocs/fea838897fc79ae2e67794c22a29cf90bbb437a1
└── [2.0K] README.md
0 directories, 1 file