CVE-2005-1932

Name of the Vulnerable Software and Affected Versions Lpanel versions 1.59 and earlier Lpanel versions prior to 1.597

Description The issue allows remote authenticated users to modify critical variables, which can lead to several security problems. These include modifying DNS settings for arbitrary domains via the domain parameter to "diagnose.php", closing, opening, or responding to arbitrary support tickets via the close, open, or pid parameter to "view ticket.php", obtaining sensitive information on arbitrary invoices via the inv parameter to "viewreceipt.php", or modifying domain information for arbitrary domains via the editdomain parameter to "domains.php".

Recommendations For Lpanel versions 1.59 and earlier, consider disabling access to diagnose.php, view ticket.php, viewreceipt.php, and domains.php until a patch is available. For Lpanel versions prior to 1.597, restrict the use of the domain, close, open, pid, inv, and editdomain parameters in the respective API endpoints to minimize the risk of exploitation.