Archive for July, 2013

ArcticDesk – Multiple XSS Flaws (R911-0048)

Wednesday, July 24th, 2013

Type: XSS
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.0
Fixed Version: 1.2.1
CVE: -
R911: 0048
Date: 2013-07-24
By: http://www.rack911.com

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

There are numerous XSS vulnerabilities present in both the client frontend and the administrator frontend. The most severe of which can show up when viewing tickets.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the XSS code is being executed in the administrator frontend which can also contribute to a CSRF attack.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.0.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.1.

Vendor Contact Timeline:

2013-05-02: Vendor contacted via email.
2013-05-02: Vendor confirms vulnerability.
2013-06-25: Vendor issues 1.2.1 update.
2013-07-24: Rack911 issues security advisory.

ArcticDesk – Arbitrary File Upload (R911-0047)

Wednesday, July 24th, 2013

Type: Arbitrary File Upload
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.0
Fixed Version: 1.2.1
CVE: -
R911: 0047
Date: 2013-07-24
By: http://www.rack911.com

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

An attacker can manipulate the attachments field when submitting a trouble ticket to upload any file they want regardless of the file extension being used. From there, the attacker can upload a malicious PHP file that can gain access to the account through a web shell or other means to compromise the MySQL database or modify files.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can upload any file and potentially gain access to the database and/or other files under the software.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.0.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.1.

Vendor Contact Timeline:

2013-05-02: Vendor contacted via email.
2013-05-02: Vendor confirms vulnerability.
2013-06-25: Vendor issues 1.2.1 update.
2013-07-24: Rack911 issues security advisory.

ArcticDesk – CSRF (Add Admin) (R911-0046)

Wednesday, July 24th, 2013

Type: CSRF (Add Admin)
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.0
Fixed Version: 1.2.1
CVE: -
R911: 0046
Date: 2013-07-24
By: http://www.rack911.com

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

A CSRF (Cross Site Request Forgery) exists in the default settings of ArcticDesk that would allow an attacker to create a new administrator account should a legitimate administrator view a website containing the malicious code. (Due to XSS conditions within ArticDesk an attacker would also be able to submit a ticket containing malicious code in the subject field and should the administrator simply view the ticket list, the CSRF attack will be executed.)

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user would be able to obtain administrative access.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.0.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.1.

Vendor Contact Timeline:

2013-05-02: Vendor contacted via email.
2013-05-02: Vendor confirms vulnerability.
2013-06-25: Vendor issues 1.2.1 update.
2013-07-24: Rack911 issues security advisory.

SecPanel – Privilege Escalation (R911-0045)

Monday, July 22nd, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: SecPanel
Website: http://www.secpanel.com
Vulnerable Version: v2.0.0
Fixed Version: v2.0.1
CVE:
R911: 0045
Date: 2013-07-22
By: www.rack911.com

Product Description:

SecPanel’s one click install hardens your server against the most common and dangerous attacks. You can manage your server’s security from a web based dashboard.

Vulnerability Description:

When the software is installed it adds a user to sudo allowing access to various functions. Unfortunately, there is a flaw that exposes the password in plain text that would ultimately allow an attacker to escalate their privileges to root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against SecPanel v2.0.0 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in SecPanel v2.0.1.

Vendor Contact Timeline:

2013-07-11: Vendor contacted via email.
2013-07-12: Vendor confirms vulnerability.
2013-07-15: Vendor issues update.
2013-07-22: Rack911 issues security advisory.

cPanel – Content Manipulation (R911-0044)

Thursday, July 18th, 2013

Type: Content Manipulation
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.5, 11.38.1.13, 11.36.1.15, 11.34.1.25
CVE: -
R911: 0044
Date: 2013-07-18
By: www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within the Suspend function of WHM that allows a reseller to lock every account on the server, including root, to render it totally inoperable.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the server can be rendered inoperable.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.5 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.5, 11.38.1.13, 11.36.1.15, 11.34.1.25.

Vendor Contact Timeline:

2013-07-03: Vendor contacted via email.
2013-07-03: Vendor confirms vulnerability.
2013-07-15: Vendor issues updates to all builds.
2013-07-18: Rack911 issues security advisory.

cPanel – Content Manipulation (R911-0043)

Thursday, July 18th, 2013

Type: Content Manipulation
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.5, 11.38.1.13, 11.36.1.15, 11.34.1.25
CVE: -
R911: 0043
Date: 2013-07-18
By: www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within the Purchase and Install an SSL Certificate (TrustWave) feature that allows an attacker to overwrite any file on the server, including root owned files, which could ultimately lead to a server being rendered inoperable.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be overwritten.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.5 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.5, 11.38.1.13, 11.36.1.15, 11.34.1.25.

Vendor Contact Timeline:

2013-06-27: Vendor contacted via email.
2013-06-27: Vendor confirms vulnerability.
2013-07-15: Vendor issues updates to all builds.
2013-07-18: Rack911 issues security advisory.

cPanel – Content Manipulation (R911-0042)

Thursday, July 18th, 2013

Type: Content Manipulation
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.5, 11.38.1.13, 11.36.1.15, 11.34.1.25
CVE: -
R911: 0042
Date: 2013-07-18
By: www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within WHM that allows an attacker to make unauthorized changes to any domain on the server, including the ability to modify DNS records, add email accounts and mailing lists.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any account can be modified.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.5 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.5, 11.38.1.13, 11.36.1.15, 11.34.1.25.

Vendor Contact Timeline:

2013-06-27: Vendor contacted via email.
2013-06-27: Vendor confirms vulnerability.
2013-07-15: Vendor issues updates to all builds.
2013-07-18: Rack911 issues security advisory.

cPanel – Content Manipulation (R911-0041)

Thursday, July 18th, 2013

Type: Content Manipulation
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.39.0.5, 11.38.1.13, 11.36.1.15, 11.34.1.25
CVE: -
R911: 0041
Date: 2013-07-18
By: www.rack911.com

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is a flaw within WHM that allows an attacker to add, delete and/or modify any DNS zone on the server. The end result is that an attacker would be able to hijack a domain hosted on the same server or the DNS cluster if used.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any DNS zone can be modified.

Vulnerable Version:

This vulnerability was tested against cPanel 11.38.1.5 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.39.0.5, 11.38.1.13, 11.36.1.15, 11.34.1.25.

Vendor Contact Timeline:

2013-06-27: Vendor contacted via email.
2013-06-27: Vendor confirms vulnerability.
2013-07-15: Vendor issues updates to all builds.
2013-07-18: Rack911 issues security advisory.

InterWorx – Content Manipulation (R911-0040)

Monday, July 8th, 2013

Type: Content Manipulation
Location: Local
Impact: High
Product: InterWorx
Website: http://www.interworx.com
Vulnerable Version: All previous versions.
Fixed Version: v4.11.6 #475 and v5.0.5 #516
CVE: -
R911: 0040
Date: 2013-07-08
By: http://www.rack911.com

Product Description

The InterWorx control panel is a Linux based dedicated server and VPS web control panel. It is feature rich for both the system administrator and website administrator. Supports software-based load balancing and clustering via a web interface

Vulnerability Description:

There is a flaw within the Import feature that would allow a malicious reseller to create a symlink to target any file owned by the iworx user which in turn will then be overwritten when an archive is uploaded.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file owned by the user iworx can be modified or destroyed. This includes making the InterWorx panel inoperable or obtaining sensitive control panel data.

Vulnerable Version:

This vulnerability was tested against InterWorx v4.11.6 + v5.0.5 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in InterWorx v4.11.6 #475 and v5.0.5 #516.

Vendor Contact Timeline:

2013-06-13: Vendor contacted via email.
2013-06-14: Vendor confirms vulnerability.
2013-06-14: Vendor issues v4.11.6 #475 update.
2013-06-14: Vendor issues v5.0.5 #516 update.
2013-07-08: Rack911 issues security advisory.

InterWorx – Content Disclosure (R911-0039)

Monday, July 8th, 2013

Type: InterWorx – Content Disclosure (Root Access)
Location: Local
Impact: High
Product: InterWorx
Website: http://www.interworx.com
Vulnerable Version: All previous versions.
Fixed Version: v4.11.6 #479 and v5.0.5 #521
CVE: -
R911: 0039
Date: 2013-07-08
By: http://www.rack911.com

Product Description

The InterWorx control panel is a Linux based dedicated server and VPS web control panel. It is feature rich for both the system administrator and website administrator. Supports software-based load balancing and clustering via a web interface

Vulnerability Description:

There is a flaw within the Backup feature that allows an attacker to access a temporary world writable directory then use a hardlink to any file on the server which will then be stored in the archive and available upon downloaded.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against InterWorx v4.11.6 + v5.0.5 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in InterWorx v4.11.6 #479 and v5.0.5 #521.

Vendor Contact Timeline:

2013-06-13: Vendor contacted via email.
2013-06-14: Vendor confirms vulnerability.
2013-06-14: Vendor issues v4.11.6 #479 update.
2013-06-14: Vendor issues v5.0.5 #521 update.
2013-07-08: Rack911 issues security advisory.