Two security researchers on Saturday have warned that if you use cPanel to administer your website or certain Linksys or Netgear routers, you're leaving yourself open to web-based attacks that could potentially take control of your systems.
The attacks are based on CSRF, or cross-site request forgery, which can be exploited simply by surfing to the 'wrong' website, say Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org.
"CSRF is bad stuff," Bailey said at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means we have these kinds of holes all over."
When visiting a malicous website while logged in to the program, the attack is able to trick cPanel into carrying out sensitive commands by duping the device into thinking they came from the victim. And it doesn't look like this will be fixed anytime soon.
"The response I got from cPanel was we can't fix this because it's a feature," Bailey said. "Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."
Much more info here .
Image Credit: Linksys