Archive for November, 2013

ClientExec – SQL Injection Security Vulnerability (R911-0097)

Wednesday, November 27th, 2013

Type: SQL Injection
Location: Remote
Impact: High
Product: ClientExec
Website: http://www.clientexec.com
Vulnerable Version: 4.6.7
Fixed Version: 4.6.8
CVE: -
R911: 0097
Date: 2013-11-27
By: Rack911

Product Description:

ClientExec is a comprehensive and flexible web hosting billing solution that will help you manage and expand your existing base of hosting clients. ClientExec was conceived and built with small to mid-sized hosting companies in mind. ClientExec was built to enable business owners to effectively manage their hosting clients and web hosting billing using one convenient and powerful platform.

Vulnerability Description:

There is a possible SQL injection within the plugin / snapin system that could allow an attacker to perform malicious SQL queries within the database.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that un-sanitized SQL queries can be performed.

Vulnerable Version:

This vulnerability was tested against ClientExec v4.6.7.

Fixed Version:

This vulnerability was patched in ClientExec v4.6.8.

Vendor Contact Timeline:

2013-11-15: Vendor contacted via email.
2013-11-15: Vendor confirms vulnerability.
2013-11-20: Vendor issues update.
2013-11-27: Rack911 issues security advisory.

ClientExec – Multiple XSS Security Vulnerabilities (R911-0096)

Wednesday, November 27th, 2013

Type: XSS
Location: Remote
Impact: High
Product: ClientExec
Website: http://www.clientexec.com
Vulnerable Version: 4.6.7
Fixed Version: 4.6.8
CVE: -
R911: 0096
Date: 2013-11-27
By: Rack911

Product Description:

ClientExec is a comprehensive and flexible web hosting billing solution that will help you manage and expand your existing base of hosting clients. ClientExec was conceived and built with small to mid-sized hosting companies in mind. ClientExec was built to enable business owners to effectively manage their hosting clients and web hosting billing using one convenient and powerful platform.

Vulnerability Description:

There are a couple of XSS security vulnerabilities present within the admin panel of ClientExec.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the XSS code is being executed by an admin which could lead to other security issues.

Vulnerable Version:

This vulnerability was tested against ClientExec v4.6.7.

Fixed Version:

This vulnerability was patched in ClientExec v4.6.8.

Vendor Contact Timeline:

2013-11-15: Vendor contacted via email.
2013-11-15: Vendor confirms vulnerability.
2013-11-20: Vendor issues update.
2013-11-27: Rack911 issues security advisory.

ClientExec – Multiple Input Validation Failures (R911-0095)

Wednesday, November 27th, 2013

Type: Input Validation Failure
Location: Remote
Impact: Medium
Product: ClientExec
Website: http://www.clientexec.com
Vulnerable Version: 4.6.7
Fixed Version: 4.6.8
CVE: -
R911: 0095
Date: 2013-11-27
By: Rack911

Product Description:

ClientExec is a comprehensive and flexible web hosting billing solution that will help you manage and expand your existing base of hosting clients. ClientExec was conceived and built with small to mid-sized hosting companies in mind. ClientExec was built to enable business owners to effectively manage their hosting clients and web hosting billing using one convenient and powerful platform.

Vulnerability Description:

There are a couple of input validation failures present that could allow a malicious user to interfere with welcome letters and interfere with the article rating system.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that these input validation failures are more of a nuisance than anything else.

Vulnerable Version:

This vulnerability was tested against ClientExec v4.6.7.

Fixed Version:

This vulnerability was patched in ClientExec v4.6.8.

Vendor Contact Timeline:

2013-11-15: Vendor contacted via email.
2013-11-15: Vendor confirms vulnerability.
2013-11-20: Vendor issues update.
2013-11-27: Rack911 issues security advisory.

Installatron (DirectAdmin) – Arbitrary File Overwrite (R911-0094)

Saturday, November 23rd, 2013

Type: Arbitrary File Overwrite
Location: Local
Impact: High
Product: Installatron (DirectAdmin)
Website: http://www.installatron.com
Vulnerable Version: v9.0.5
Fixed Version: v9.0.6
CVE: -
R911: 0094
Date: 2013-11-23
By: Rack911

Product Description:

Installatron is a turn-key, state-of-the-art web application automation solution (also known as an auto installer or script installer) for web hosting control panel platforms.

Once installed on a control panel server, Installatron’s powerful, easy-to-use user-interface integrates seamlessly, enabling instant, one-click installs and upgrades, backups and restores, and other advanced features for a premier collection of only the best applications on the web.

Vulnerability Description:

Due to insecure handling of tmp files and predictable session names, it is possible for an attacker to overwrite any file on the server with session data thus rendering a server inoperable.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the server can be rendered inoperable.

Vulnerable Version:

This vulnerability was tested against Installatron v9.0.5 for DirectAdmin and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in Installatron v9.0.6 for DirectAdmin. (We thank Installatron for their always prompt updates and commitment to security!)

Vendor Contact Timeline:

2013-11-20: Vendor contacted via email.
2013-11-20: Vendor confirms vulnerability.
2013-11-23: Vendor issues v9.0.6 update.
2013-11-23: Rack911 issues security advisory.

UNIXY Varnish (cPanel Plugin) – Privilege Escalation (R911-0093)

Wednesday, November 20th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: UNIXY cPanel Varnish
Website: http://www.unixy.net
Vulnerable Version: 1.8.4
Fixed Version: 1.8.6
CVE: -
R911: 0093
Date: 2013-11-20
By: Rack911

Product Description:

The UNIXY cPanel plugin comes with a Web interface to manage Varnish via cPanel WHM. The cPanel app takes the complexity out of Varnish in a consolidated one-stop interface. The script allows you to uninstall Varnish, modify Varnish settings, lookup caching stats, refresh the Varnish cache, restart Varnish, and much more!

Vulnerability Description:

A malicious user can escalate their privileges due to a symlink attack when Varnish is disabled by the end user. This flaw is exploitable by both resellers and normal cPanel users. In our testing we were able to obtain an interactive root shell in a matter of seconds.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against UNIXY cPanel Varnish v1.8.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in UNIXY cPanel Varnish v1.8.6.

Vendor Contact Timeline:

2013-10-12: Vendor contacted via email.
2013-10-12: Vendor confirms vulnerability.
2013-11-18: Vendor issues v1.8.6 update.
2013-11-20: Rack911 issues security advisory.

UNIXY Varnish (cPanel Plugin) – Content Manipulation (R911-0092)

Wednesday, November 20th, 2013

Type: Content Manipulation
Location: Local
Impact: High
Product: UNIXY cPanel Varnish
Website: http://www.unixy.net
Vulnerable Version: 1.8.4
Fixed Version: 1.8.6
CVE: -
R911: 0092
Date: 2013-11-20
By: Rack911

Product Description:

The UNIXY cPanel plugin comes with a Web interface to manage Varnish via cPanel WHM. The cPanel app takes the complexity out of Varnish in a consolidated one-stop interface. The script allows you to uninstall Varnish, modify Varnish settings, lookup caching stats, refresh the Varnish cache, restart Varnish, and much more!

Vulnerability Description:

A malicious user can redirect any website on the server to a malicious website due Varnish being installed by the plugin using an insecure manner.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any website on the server can be effectively hijacked.

Vulnerable Version:

This vulnerability was tested against UNIXY cPanel Varnish v1.8.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in UNIXY cPanel Varnish v1.8.6.

Vendor Contact Timeline:

2013-10-12: Vendor contacted via email.
2013-10-12: Vendor confirms vulnerability.
2013-11-18: Vendor issues v1.8.6 update.
2013-11-20: Rack911 issues security advisory.

UNIXY Varnish (cPanel Plugin) – Arbitrary File Access (R911-0091)

Wednesday, November 20th, 2013

Type: Arbitrary File Access
Location: Local
Impact: High
Product: UNIXY cPanel Varnish
Website: http://www.unixy.net
Vulnerable Version: 1.8.4
Fixed Version: 1.8.6
CVE: -
R911: 0091
Date: 2013-11-20
By: Rack911

Product Description:

The UNIXY cPanel plugin comes with a Web interface to manage Varnish via cPanel WHM. The cPanel app takes the complexity out of Varnish in a consolidated one-stop interface. The script allows you to uninstall Varnish, modify Varnish settings, lookup caching stats, refresh the Varnish cache, restart Varnish, and much more!

Vulnerability Description:

A malicious user can view the contents of any file on the server regardless of ownership due Varnish being installed by the plugin using an insecure manner.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file, including /etc/shadow, can be viewed.

Vulnerable Version:

This vulnerability was tested against UNIXY cPanel Varnish v1.8.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in UNIXY cPanel Varnish v1.8.6.

Vendor Contact Timeline:

2013-10-12: Vendor contacted via email.
2013-10-12: Vendor confirms vulnerability.
2013-11-18: Vendor issues v1.8.6 update.
2013-11-20: Rack911 issues security advisory.

Soholaunch (WHM Plugin) – Local Privilege Escalation (R911-0090)

Wednesday, November 20th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Soholaunch (WHM Plugin)
Website: http://www.soholaunch.com
Vulnerable Version: v25
Fixed Version: v27
CVE:
R911: 0090
Date: 2013-11-20
By: Rack911

Product Description:

Soholaunch Pro is not just an easy to use drag & drop site builder, but much more: it features a similarly easy to manage shopping cart system and allows you to create forms, newsletters, calendars, albums, blogs and more without the need to know any HTML code or scripting. All you need is your browser and your ideas.

Vulnerability Description:

The WHM plugin for Soholaunch Pro is vulnerable to a privilege escalation flaw during the update process that would allow an attacker to take control of any file on the server ultimately leading to a root compromise.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Soholaunch (WHM Plugin) v25 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in Soholaunch (WHM Plugin) v27.

Vendor Contact Timeline:

2013-09-28: Vendor contacted via email.
2013-11-19: Vendor confirms vulnerability.
2013-11-20: Vendor issues update.
2013-11-20: Rack911 issues security advisory.

Soholaunch (WHM Plugin) – Local Privilege Escalation (R911-0089)

Wednesday, November 20th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Soholaunch (WHM Plugin)
Website: http://www.soholaunch.com
Vulnerable Version: v25
Fixed Version: v27
CVE:
R911: 0089
Date: 2013-11-20
By: Rack911

Product Description:

Soholaunch Pro is not just an easy to use drag & drop site builder, but much more: it features a similarly easy to manage shopping cart system and allows you to create forms, newsletters, calendars, albums, blogs and more without the need to know any HTML code or scripting. All you need is your browser and your ideas.

Vulnerability Description:

The WHM plugin for Soholaunch Pro is vulnerable to a privilege escalation flaw during installation that would allow an attacker to take control of any file on the server ultimately leading to a root compromise.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Soholaunch (WHM Plugin) v25 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in Soholaunch (WHM Plugin) v27.

Vendor Contact Timeline:

2013-09-28: Vendor contacted via email.
2013-11-19: Vendor confirms vulnerability.
2013-11-20: Vendor issues update.
2013-11-20: Rack911 issues security advisory.

Admin-Ahead Bulk DNS TTL Changer – Input Validation Failure (R911-0088)

Monday, November 18th, 2013

Type: Input Validation Failure
Location: Remote
Impact: Medium
Product: Admin-Ahead Bulk DNS TTL Changer
Website: http://admin-ahead.com/aast-bulk-dns-ttl-changer-cpanelwhm-v1-0/
Vulnerable Version: 1.0.0
Fixed Version: 1.0.1
CVE: -
R911: 0088
Date: 2013-11-18
By: Rack911

Product Description:

Here we introduce the A-AST Bulk DNS TTL changer v1.0 for cPanel/WHM. With this interface, you get to lower TTL values for multiple domains all at once, and make sure that the DNS information that you change will take effect in a shorter interval of time. What’s more? Once your migration is complete, you can use this same tool to raise the DNS TTL values of multiple domains and thus make life a little easier on name servers.

Vulnerability Description:

There is an input validation failure vulnerability that would allow an attacker to modify the TTL to any domain on the server.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that any domain’s TTL can be modified.

Vulnerable Version:

This vulnerability was tested against Admin-Ahead Bulk DNS TTL Changer v1.0.0 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in Admin-Ahead Bulk DNS TTL Changer v1.0.1.

Vendor Contact Timeline:

2013-11-17: Vendor contacted via email.
2013-11-17: Vendor confirms vulnerability.
2013-11-18: Vendor issues 1.0.1 update.
2013-11-18: Rack911 issues security advisory.