RCE bug chain patched in CentOS Web Panel


A security researcher exploited a pair of flaws in the popular web hosting platform CentOS Web Panel (CWP) to gain preauthenticated remote command execution (RCE) as root.

Paulos Yibelo obtained RCE but use a null binary file inclusion payload to add a malicious API key, then utilising this API key to publish to a file and including this file via the file inclusion bug.

Read More…