CVE-2022-44877 - How Login Vulnerability in CWP Puts Your Server at Risk

If you’re running a Linux server managed by CWP (Control Web Panel, formerly CentOS Web Panel) and haven’t updated lately, you might be sitting on a dangerous security hole. In December 2022, a critical vulnerability—CVE-2022-44877—was discovered in the CWP login system.

In this post, we break down how the vulnerability works, show a proof-of-concept exploit, and share direct links to more information and the patch. If you admin any CWP server, read carefully!

What is CVE-2022-44877?

CVE-2022-44877 is a vulnerability found in the login/index.php page of CWP 7, for versions before .9.8.1147.

What’s the danger?

Any remote attacker can run any OS command on your CWP-managed server just by sending specially crafted data to the login page. Yup: from the login form, an attacker can get remote shell access, steal files, or even wipe your server clean.

The specific cause? The “login” parameter of the login form is not sanitized. That means an attacker can include shell commands wrapped by metacharacters (like ;, &&, or |), and the server will just execute them.

The login form in CWP allows users to input a username.

- Internally, the value of the username/login parameter is used unsafely in a shell command.
- If you submit something like admin; whoami, the server will execute whoami on itself, and send the result.

Here’s a hypothetical excerpt of the vulnerable PHP code (simplified for clarity)

// login/index.php (vulnerable pseudo-code)
$user = $_POST['login'];
$pass = $_POST['password'];

// BAD: User input passed directly to shell
system("some_command --user=$user --password=$pass");

If an attacker sends

login=admin;id
password=anyvalue

the system() call turns into

some_command --user=admin;id --password=anyvalue

The shell will execute some_command --user=admin AND then also execute id. The attacker gets OS-level code execution remotely.

Exploiting CVE-2022-44877: Proof of Concept

Let’s imagine you want to confirm if your CWP 7 box is vulnerable (on your own server ONLY).   Here’s an example exploitation using curl:

curl -X POST http://yourserver:203/login/index.php \
     -d "login=admin;cat /etc/passwd" \
     -d "password=anything"

If your system is vulnerable, instead of a failed login, the contents of /etc/passwd might be returned in the response!

You can try more advanced payloads—like reverse shells, file downloads, and so forth. This is why it’s so dangerous.

References and Further Reading

- CVE record at Mitre: CVE-2022-44877
- Official CWP Forum Patch Announcement
- Detailed write-up and Proof of Concept
- NVD vulnerability detail

What Should You Do?

Update your CWP server now.  
The vendor quickly released a fix in version .9.8.1147. Just updating your CWP package will close the vulnerability.

Conclusion: Take This One Seriously

CVE-2022-44877 is trivial to exploit and can completely compromise any server with an outdated CWP version exposed to the web. Anyone—without even knowing a valid username or password—could take control.

Patch ASAP, and always be wary of user-supplied data in shell commands!

If you found this helpful, share it with any friends or colleagues running CentOS Web Panel. Stay safe!

Timeline

Published on: 01/05/2023 23:15:00 UTC
Last modified on: 04/06/2023 17:15:00 UTC