Archive for January, 2014

BetterLinux – Arbitrary Command Execution (cPanel) Vulnerability (R911-0118)

Friday, January 24th, 2014

Type: Arbitrary Command Execution
Location: Remote
Impact: Critical
Product: BetterLinux
Website: http://www.betterlinux.com
Vulnerable Version: 1.1.3-1
Fixed Version: 1.1.4-2
CVE: -
R911: 0118
Date: 2014-01-24
By: Rack911

Product Description:

BetterLinux is a collection of tools for system resource management, monitoring, and security intended for hosting providers, data centers, SaaS companies, and cloud environments. With it, you can control use and allocation of CPU, memory, MySQL, device I/O bandwidth, and IP bandwidth resources all within a secure environment. Individual users and processes that exceed set resource limits can be isolated from other system users and throttled as necessary.

Vulnerability Description:

BetterLinux with cPanel suffers from an arbitrary command execution vulnerability which could easily lead to a privilege escalation as the commands are done as root. For our exploit to work, reseller access is required, however, under certain conditions the same exploit could occur with a normal cPanel user.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against BetterLinux 1.1.3-1 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in BetterLinux 1.1.4-2.

Vendor Contact Timeline:

2013-12-26: Vendor contacted via email.
2013-12-26: Vendor confirms vulnerability.
2014-01-23: Vendor issues updates to all builds.
2014-01-24: Rack911 issues security advisory.

BetterLinux – Arbitrary File Access (cPanel) Vulnerability (R911-0117)

Friday, January 24th, 2014

Type: Arbitrary File Access
Location: Remote
Impact: High
Product: BetterLinux
Website: http://www.betterlinux.com
Vulnerable Version: 1.1.3-1
Fixed Version: 1.1.4-2
CVE: -
R911: 0117
Date: 2014-01-24
By: Rack911

Product Description:

BetterLinux is a collection of tools for system resource management, monitoring, and security intended for hosting providers, data centers, SaaS companies, and cloud environments. With it, you can control use and allocation of CPU, memory, MySQL, device I/O bandwidth, and IP bandwidth resources all within a secure environment. Individual users and processes that exceed set resource limits can be isolated from other system users and throttled as necessary.

Vulnerability Description:

BetterLinux with cPanel suffers from an arbitrary file access vulnerability which could be used to show sensitive files behind directories otherwise not accessible. The biggest area of concern would be the config cache directory for cPanel that contains the root MySQL password which could be viewed when used in a symlink attack but any file such as /etc/shadow could also be accessed.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be read regardless of ownership which could lead to a privilege escalation.

Vulnerable Version:

This vulnerability was tested against BetterLinux 1.1.3-1 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in BetterLinux 1.1.4-2.

Vendor Contact Timeline:

2013-12-26: Vendor contacted via email.
2013-12-26: Vendor confirms vulnerability.
2014-01-23: Vendor issues updates to all builds.
2014-01-24: Rack911 issues security advisory.

Vision HelpDesk – View Article SQL Injection Vulnerability (R911-0116)

Friday, January 24th, 2014

Type: SQL Injection
Location: Remote
Impact: High
Product: Vision HelpDesk
Website: http://www.thevisionworld.com/
Vulnerable Version: 3.8.4
Fixed Version: 3.8.6
CVE: -
R911: 0116
Date: 2014-01-24
By: Rack911

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

There is an SQL injection present within the View Article function that would allow a malicious user to obtain any information from the database.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 3.8.4 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 3.8.6.

Vendor Contact Timeline:

2014-01-17: Vendor contacted via email.
2014-01-17: Vendor confirms vulnerability.
2014-01-23: Vendor issues updates to all builds.
2014-01-24: Rack911 issues security advisory.

CloudFlare (cPanel) – Cloudflare_data.yaml File Deletion Vulnerability (R911-0115)

Tuesday, January 21st, 2014

Type: File Deletion
Location: Local
Impact: Medium
Product: CloudFlare (cPanel Plugin)
Website: http://www.cloudflare.com
Vulnerable Version: 4.5
Fixed Version: 4.7
CVE: -
R911: 0115
Date: 2014-01-21
By: Rack911

Product Description:

CloudFlare protects and accelerates any website online. Once your website is a part of the CloudFlare community, its web traffic is routed through our intelligent global network. We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.

Vulnerability Description:

It is possible for a malicious user to delete the Cloudflare_Data.yaml file belonging to any user on a server running CloudFlare’s cPanel plugin due to an input validation failure.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that a malicious user can interfere with other users CloudFlare installations. (No sensitive data can be obtained or anything of that nature.)

Vulnerable Version:

This vulnerability was tested against CloudFlare (cPanel Plugin) v4.5 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched CloudFlare (cPanel Plugin) v4.7.

Vendor Contact Timeline:

2014-01-16: Vendor contacted via email.
2014-01-16: Vendor confirms vulnerability.
2014-01-19: Vendor issues updates to all builds.
2014-01-21: Rack911 issues security advisory.

Softaculous – Upgrade Installation (cPanel) Privilege Escalation (R911-0114)

Thursday, January 16th, 2014

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Softaculous
Website: http://www.softaculous.com
Vulnerable Version: 4.3.9
Fixed Version: 4.4.0
CVE: -
R911: 0114
Date: 2014-01-16
By: Rack911

Product Description:

Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.

Vulnerability Description:

It is possible for a malicious reseller to exploit a privilege escalation vulnerability within the Upgrade Installation function of Softaculous (cPanel) that could lead to a root compromise.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that interactive root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Softaculous v4.3.9 for cPanel but it may exist in other control panel versions as well.

Fixed Version:

This vulnerability was patched in Softaculous v4.4.0.

Vendor Contact Timeline:

2014-01-14: Vendor contacted via email.
2014-01-14: Vendor confirms vulnerability.
2014-01-15: Vendor issues v4.4.0 update.
2014-01-16: Rack911 issues security advisory.

HostBill – Estimate (Client) Input Validation Failure (R911-0113)

Monday, January 6th, 2014

Type: Input Validation
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2014-01-03
CVE: -
R911: 0113
Date: 2014-01-06
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a malicious user to brute force estimates belonging to any client due to input validation failures which could result in sensitive information being obtained.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that sensitive information could be obtained.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2014-01-03.

Vendor Contact Timeline:

2013-12-30: Vendor contacted via email.
2013-12-30: Vendor confirms vulnerability.
2014-01-03: Vendor issues 2014-01-03 update.
2014-01-06: Rack911 issues security advisory.

HostBill – Submit Ticket (Hidden Department) Input Validation Failure (R911-0112)

Monday, January 6th, 2014

Type: Input Validation
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2014-01-03
CVE: -
R911: 0112
Date: 2014-01-06
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a malicious user to submit trouble tickets to a hidden department and see the name of said department due to an input validation failure.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that internal department information can be disclosed.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2014-01-03.

Vendor Contact Timeline:

2013-12-30: Vendor contacted via email.
2013-12-30: Vendor confirms vulnerability.
2014-01-03: Vendor issues 2014-01-03 update.
2014-01-06: Rack911 issues security advisory.

Softaculous – Import (cPanel) Privilege Escalation (R911-0111)

Thursday, January 2nd, 2014

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Softaculous
Website: http://www.softaculous.com
Vulnerable Version: 4.3.6
Fixed Version: 4.3.8
CVE: -
R911: 0111
Date: 2014-01-02
By: Rack911

Product Description:

Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.

Vulnerability Description:

It is possible for a malicious user to exploit a privilege escalation vulnerability within the Import function of Softaculous for cPanel which could lead to a root compromise.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that interactive root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Softaculous v4.3.6 for cPanel but it may exist in other control panel versions as well.

Fixed Version:

This vulnerability was patched in Softaculous v4.3.8.

Vendor Contact Timeline:

2013-12-31: Vendor contacted via email.
2014-01-01: Vendor confirms vulnerability.
2014-01-02: Vendor issues v4.3.8 update.
2014-01-02: Rack911 issues security advisory.