From c128b308439b713e579e547721d9d5043e6cd1e7 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 30 Apr 2026 02:45:36 +0000 Subject: [PATCH] Add content from: CVE-2026-41940: cPanel & WHM Authentication Bypass --- src/pentesting-web/crlf-0d-0a.md | 35 ++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/src/pentesting-web/crlf-0d-0a.md b/src/pentesting-web/crlf-0d-0a.md index add9b676580..d55a0fbc329 100644 --- a/src/pentesting-web/crlf-0d-0a.md +++ b/src/pentesting-web/crlf-0d-0a.md @@ -169,6 +169,38 @@ Moreover, researchers also discovered that they could desync the memcache respon
https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&h=506&auto=format&fit=crop
+### Pre-auth Session File Poisoning via CRLF + +Some applications **persist session state before authentication completes** and later **reload the same session from disk** after additional requests. If attacker-controlled values from **headers**, **cookies**, or login parameters are written into that session file **without stripping `\r` / `\n`**, CRLF injection can become an **authentication bypass** instead of just response splitting. + +Typical exploitation pattern: + +1. A failed or incomplete login **creates a pre-auth session file** on disk. +2. The attacker finds a field that is later written to the session store, commonly a **Basic Authorization** value, a **session cookie subfield**, or another login-related attribute. +3. If the product uses a **structured session identifier** or cookie format, try **removing optional/expected segments** to force a weaker code path where attacker-controlled data is **not encoded/encrypted** before being persisted. +4. Inject raw CRLF so the serialized session becomes **multi-line**, allowing creation of extra trusted entries such as: + +```text +user=root +cp_security_token=/cpsess... +tfa_verified=1 +``` + +5. Trigger a **session reload / resume** path. If the parser trusts the poisoned session file, the attacker upgrades a pre-auth session into an authenticated or privileged one. + +Quick notes for review and exploitation: + +- Check whether the session store is **line-oriented** (`key=value` per line). These formats are especially sensitive to CRLF. +- Compare how the application handles a **freshly issued session cookie** versus a **malformed/truncated** version of the same cookie. +- If authentication is split across several requests, inspect whether the **same session identifier survives** from the failed login into the later privileged request. +- Newline injection into one field can be enough if the reload logic later trusts **presence of keys** such as `user`, `role`, `successful_external_auth_with_timestamp`, or `tfa_verified`. + +Detection / triage ideas: + +- Inspect pre-auth session files for **authenticated-only keys**. +- Flag session files whose `pass` or equivalent field became **multi-line**. +- Correlate **failed-login origins** with later session records containing valid security tokens or authenticated attributes. + ### How to Prevent CRLF / HTTP Header Injections in Web Applications To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Injections in web applications, the following strategies are recommended: @@ -258,6 +290,9 @@ into a reflected header, browsers will ignore the body supplied by the server an - [https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning) - [https://www.netsparker.com/blog/web-security/crlf-http-header/](https://www.netsparker.com/blog/web-security/crlf-http-header/) - [https://nvd.nist.gov/vuln/detail/CVE-2024-45302](https://nvd.nist.gov/vuln/detail/CVE-2024-45302) +- [Rapid7 - CVE-2026-41940: cPanel & WHM Authentication Bypass](https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass) +- [watchTowr - The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/) +- [cPanel Security Update 04/28/2026](https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026) - [https://security.praetorian.com/blog/2023-unicode-newlines-bypass/](https://security.praetorian.com/blog/2023-unicode-newlines-bypass/) {{#include ../banners/hacktricks-training.md}}