Archive for February, 2014

HostBill – Staff Tickets Blind SQL Injection Vulnerability (R911-0130)

Tuesday, February 25th, 2014

Type: SQL Injecton
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2014-02-22
Fixed Version: 2014-02-24
CVE: -
R911: 0130
Date: 2014-02-25
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for an authorized staff member to perform a blind SQL injection against HostBill to obtain sensitive information and/or escalate their privileges to a higher authority.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that authorized staff access is required. It is not possible for an unprivileged user to exploit this vulnerability.

Vulnerable Version:

This vulnerability was tested against HostBill 2014-02-22. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill 2014-02-24.

Vendor Contact Timeline:

2014-02-24: Vendor contacted via email.
2014-02-24: Vendor confirms vulnerability.
2014-02-24: Vendor issues 2014-02-24 update.
2014-02-25: Rack911 issues security advisory.

InterWorx – SiteWorx MySQL Password Disclosure Vulnerability (R911-0129)

Thursday, February 20th, 2014

Type: Password Disclosure
Location: Local
Impact: High
Product: InterWorx
Website: http://www.interworx.com
Vulnerable Version: v5.0.12 #569
Fixed Version: v5.0.13 #574
CVE: -
R911: 0129
Date: 2014-02-20
By: Rack911

Product Description

The InterWorx control panel is a Linux based dedicated server and VPS web control panel. It is feature rich for both the system administrator and website administrator. Supports software-based load balancing and clustering via a web interface.

Vulnerability Description

It is possible for a malicious user to obtain the MySQL password to the ‘iworx’ user when executing a carefully crafted shell command while performing various tasks within SiteWorx.

Impact

We have deemed this vulnerability to be rated as HIGH due to the fact that access to customer databases can be obtained as they are stored under the ‘iworx’ user.

Vulnerable Version

This vulnerability was tested against InterWorx v5.0.12 #569 and is believed to exist in all prior versions.

Fixed Version

This vulnerability was patched in InterWorx v5.0.13 #574.

Vendor Contact Timeline

2014-01-27: Vendor contacted via email.
2014-01-17: Vendor confirms vulnerability.
2014-02-19: Vendor issues update.
2014-02-20: Rack911 issues security advisory.

Vision HelpDesk – XSS Admin Hijack (R911-0128)

Friday, February 14th, 2014

Type: XSS
Location: Remote
Impact: High
Product: Vision HelpDesk
Website: http://www.thevisionworld.com/
Vulnerable Version: 3.8.6
Fixed Version: 3.8.8
CVE: -
R911: 0128
Date: 2014-02-14
By: Rack911

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

There is an XSS vulnerability present that would allow a malicious user to obtain the admin session cookie which could then be used to hijack access to the panel.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the admin account(s) can be hijacked.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 3.8.6 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 3.8.8.

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-01-26: Vendor confirms vulnerability.
2014-02-14: Vendor issues updates to all builds.
2014-02-14: Rack911 issues security advisory.

Vision HelpDesk – Profile Input Validation Failure (R911-0127)

Friday, February 14th, 2014

Type: Input Validation
Location: Remote
Impact: High
Product: Vision HelpDesk
Website: http://www.thevisionworld.com/
Vulnerable Version: 3.8.6
Fixed Version: 3.8.8
CVE: -
R911: 0127
Date: 2014-02-14
By: Rack911

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

There is an input validation vulnerability within the profile function that could allow a malicious user to effectively hijack any other account.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 3.8.6 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 3.8.8.

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-01-26: Vendor confirms vulnerability.
2014-02-14: Vendor issues updates to all builds.
2014-02-14: Rack911 issues security advisory.

Vision HelpDesk – Add Contact Input Validation Failure (R911-0126)

Friday, February 14th, 2014

Type: Input Validation
Location: Remote
Impact: High
Product: Vision HelpDesk
Website: http://www.thevisionworld.com/
Vulnerable Version: 3.8.6
Fixed Version: 3.8.8
CVE: -
R911: 0126
Date: 2014-02-14
By: Rack911

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

There is an input validation vulnerability within the add contact function that could allow a malicious user to effectively hijack any other account.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 3.8.6 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 3.8.8.

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-01-26: Vendor confirms vulnerability.
2014-02-14: Vendor issues updates to all builds.
2014-02-14: Rack911 issues security advisory.

cPanel – Horde Backup Archive Insecure File Permissions (R911-0125)

Friday, February 14th, 2014

Type: Insecure File Permissions
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: 11.42.0.4
Fixed Version: 11.42.0.6
CVE: -
R911: 0125
Date: 2014-02-14
By: Rack911

Product Description

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description

Due to a backup archive being stored with world readable permissions, it is possible for a malicious user to obtain the MySQL password for the Horde database.

Impact

We have deemed this vulnerability to be rated as MEDIUM due to the fact that some sensitive information in the Horde database can be obtained.

Vulnerable Version

This vulnerability was tested against cPanel 11.42.0.4.

Fixed Version

This vulnerability was patched in cPanel 11.42.0.6.

Vendor Contact Timeline

2014-02-05: Vendor contacted via email.
2014-02-05: Vendor confirms vulnerability.
2014-02-12: Vendor issues updates to all builds.
2014-02-14: Rack911 issues security advisory.

cPanel – WWWAcct Privilege Escalation Vulnerability (R911-0124)

Wednesday, February 5th, 2014

Type: Privilege Escalation
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.4, 11.40.1.10 & 11.38.2.16
CVE: -
R911: 0124
Date: 2014-02-05
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the
cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a reseller to take over any account on the server due to a privilege escalation security vulnerability within the wwwacct (new account) feature.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any cPanel account can be effectively taken over.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.4, 11.40.1.10 & 11.38.2.16

Vendor Contact Timeline:

2013-12-25: Vendor contacted via email.
2014-01-08: Vendor confirms vulnerability.
2014-02-03: Vendor issues updates to all builds.
2014-02-05: Rack911 issues security advisory.

cPanel – DNS Cluster Arbitrary Command Execution Vulnerability (R911-0123)

Wednesday, February 5th, 2014

Type: Arbitrary Command Execution
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.4, 11.40.1.10 & 11.38.2.16
CVE: -
R911: 0123
Date: 2014-02-05
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the
cPanel software, often used by resellers and system administrators.

Vulnerability Description:

Due to an arbitrary command execution within the DNS clustering system, it is possible for a reseller to run ANY command as root which would ultimately lead to a privilege escalation. This exploit also includes an input validation failure.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.4, 11.40.1.10 & 11.38.2.16

Vendor Contact Timeline:

2014-01-09: Vendor contacted via email.
2014-01-10: Vendor confirms vulnerability.
2014-02-03: Vendor issues updates to all builds.
2014-02-05: Rack911 issues security advisory.

cPanel – Modifyacct Input Validation Failure (R911-0122)

Wednesday, February 5th, 2014

Type: Input Validation Failure
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.4, 11.40.1.10 & 11.38.2.16
CVE: -
R911: 0122
Date: 2014-02-05
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a reseller to evade the actual process of modifying accounts by using a nullbyte (%00) to send commands directly to hooks. There does not appear to be any sanitation of special characters and as such, cPanel has put many plugins that have hooks tied into modifyacct at risk of being compromised.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that cPanel plugins using various hooks dependent on modifyacct can be compromised.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.4, 11.40.1.10 & 11.38.2.16.

Vendor Contact Timeline:

2013-12-25: Vendor contacted via email.
2014-01-08: Vendor confirms vulnerability.
2014-02-03: Vendor issues updates to all builds.
2014-02-05: Rack911 issues security advisory.

R-fx Networks BFD – Log Forging (Deny IP) Vulnerability (R911-0121)

Monday, February 3rd, 2014

Type: Log Forging
Location: Local
Impact: High
Product: R-fx Networks BFD
Website: https://www.rfxn.com
Vulnerable Version: 1.5
Fixed Version: 1.5-1
CVE: -
R911: 0121
Date: 2014-02-03
By: Rack911

Product Description:

BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.

Vulnerability Description:

Through the use of log forging, it is possible to trick BFD into blocking any IP range (E.g: 24.0.0.0/8) which could easily result in a malicious user creating a DoS against the server by blocking every single IPv4 address with minimal effort.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any user, including administrators, can have their IP’s blocked.

Vulnerable Version:

This vulnerability was tested against R-fx Networks BFD 1.5 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in R-fx Networks BFD 1.5-1, however, the ability to maliciously block a *single* IP address remains. Please read the following forum post for mitigation suggestions:

http://www.webhostingtalk.com/showthread.php?t=1344458

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-01-27: Vendor confirms vulnerability.
2014-01-29: Vendor issues update.
2014-02-03: Rack911 issues security advisory.