CVE-2022-25046: 
Control Web Panel vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2022-25046) was discovered in loader.php of Control Web Panel (CWP) v0.9.8.1122, allowing attackers to execute arbitrary code via crafted POST requests. The vulnerability was identified and responsibly disclosed by Immersive Labs researchers in early 2022 (NVD, Immersive Labs).

The vulnerability stems from improper filtering of directory traversal attempts in the application. The security measures implemented, including htmlspecialchars and striptags functions, inadvertently created a new bypass method. When sending a string like 'variable=../', the initial security check passes as '..' isn't present, but after the final striptags processing, it results in 'variable=../../', enabling directory traversal. This vulnerability was chained with a command injection flaw to achieve remote code execution (Immersive Labs).

The vulnerability affected approximately 185,000 active CWP servers on the internet, with each server typically hosting between 10 and 100 websites. This means millions of individual websites could have been impacted. Attackers could potentially exploit these vulnerabilities at scale to infect websites with credential harvesting malware or target payment portals to intercept banking details (Immersive Labs).

The CWP team has patched all reported vulnerabilities. The system's default configuration includes automatic updates at regular intervals, ensuring that all CWP instances should be fully patched unless updates have been manually disabled. Users can verify their installed version by SSH-ing onto the target server and running the command 'cat /path to version.php' (Immersive Labs).

The CWP development team responded quickly to the disclosure and worked collaboratively with researchers to patch and test all fixes. As acknowledgment for the responsible disclosure, CWP made a donation to Save the Children in support of Ukraine at the researchers' request (Immersive Labs).