Skip to content

Commit e93a6ff

Browse files
carlospolopcarlospolop
authored
Merge pull request #2183 from HackTricks-wiki/update_CVE-2026-41940__cPanel___WHM_Authentication_Bypass_20260430_024234
CVE-2026-41940 cPanel & WHM Authentication Bypass
2 parents 9a959a5 + c128b30 commit e93a6ff

1 file changed

Lines changed: 35 additions & 0 deletions

File tree

src/pentesting-web/crlf-0d-0a.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,38 @@ Moreover, researchers also discovered that they could desync the memcache respon
169169

170170
<figure><img src="../images/image (637).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&h=506&auto=format&fit=crop"><figcaption></figcaption></figure>
171171

172+
### Pre-auth Session File Poisoning via CRLF
173+
174+
Some applications **persist session state before authentication completes** and later **reload the same session from disk** after additional requests. If attacker-controlled values from **headers**, **cookies**, or login parameters are written into that session file **without stripping `\r` / `\n`**, CRLF injection can become an **authentication bypass** instead of just response splitting.
175+
176+
Typical exploitation pattern:
177+
178+
1. A failed or incomplete login **creates a pre-auth session file** on disk.
179+
2. The attacker finds a field that is later written to the session store, commonly a **Basic Authorization** value, a **session cookie subfield**, or another login-related attribute.
180+
3. If the product uses a **structured session identifier** or cookie format, try **removing optional/expected segments** to force a weaker code path where attacker-controlled data is **not encoded/encrypted** before being persisted.
181+
4. Inject raw CRLF so the serialized session becomes **multi-line**, allowing creation of extra trusted entries such as:
182+
183+
```text
184+
user=root
185+
cp_security_token=/cpsess...
186+
tfa_verified=1
187+
```
188+
189+
5. Trigger a **session reload / resume** path. If the parser trusts the poisoned session file, the attacker upgrades a pre-auth session into an authenticated or privileged one.
190+
191+
Quick notes for review and exploitation:
192+
193+
- Check whether the session store is **line-oriented** (`key=value` per line). These formats are especially sensitive to CRLF.
194+
- Compare how the application handles a **freshly issued session cookie** versus a **malformed/truncated** version of the same cookie.
195+
- If authentication is split across several requests, inspect whether the **same session identifier survives** from the failed login into the later privileged request.
196+
- Newline injection into one field can be enough if the reload logic later trusts **presence of keys** such as `user`, `role`, `successful_external_auth_with_timestamp`, or `tfa_verified`.
197+
198+
Detection / triage ideas:
199+
200+
- Inspect pre-auth session files for **authenticated-only keys**.
201+
- Flag session files whose `pass` or equivalent field became **multi-line**.
202+
- Correlate **failed-login origins** with later session records containing valid security tokens or authenticated attributes.
203+
172204
### How to Prevent CRLF / HTTP Header Injections in Web Applications
173205

174206
To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Injections in web applications, the following strategies are recommended:
@@ -258,6 +290,9 @@ into a reflected header, browsers will ignore the body supplied by the server an
258290
- [https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
259291
- [https://www.netsparker.com/blog/web-security/crlf-http-header/](https://www.netsparker.com/blog/web-security/crlf-http-header/)
260292
- [https://nvd.nist.gov/vuln/detail/CVE-2024-45302](https://nvd.nist.gov/vuln/detail/CVE-2024-45302)
293+
- [Rapid7 - CVE-2026-41940: cPanel & WHM Authentication Bypass](https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass)
294+
- [watchTowr - The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/)
295+
- [cPanel Security Update 04/28/2026](https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026)
261296
- [https://security.praetorian.com/blog/2023-unicode-newlines-bypass/](https://security.praetorian.com/blog/2023-unicode-newlines-bypass/)
262297

263298
{{#include ../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)