ZPanel Cross-Site Request Forgery and SQL Injection Vulnerabilities
Description
Multiple vulnerabilities have been discovered in ZPanel, which can be exploited by malicious people to conduct cross-site request forgery and SQL injection attacks.
1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. add an FTP user if a logged-in administrator visits a malicious web site.
Note: This further can be exploited to conduct script insertion attacks.
2) Input passed via the "resetkey" GET and "inConfEmail" POST parameters to index.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerabilities are confirmed in version 10.0.1. Prior versions may also be affected.
