Archive for March, 2014

cPanel – Log Directory Insecure File Permissions (R911-0140)

Monday, March 31st, 2014

Type: Insecure Permissions
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.23, 11.40.1.13 & 11.38.2.23
CVE: -
R911: 0140
Date: 2014-03-31
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

The cPanel logs directory /usr/local/cpanel/logs contained various log files, some of which were user readable. Some of those log files, under certain circumstances, could contain sensitive information.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that some sensitive information may be obtainable via the log files.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.23, 11.40.1.13 & 11.38.2.23.

Vendor Contact Timeline:

2013-12-12: Vendor contacted via email.
2014-03-03: Vendor confirms vulnerability.
2014-03-24: Vendor issues updates to all builds.
2014-03-31: Rack911 issues security advisory.

cPanel – Modifyacct ACL Failures (R911-0139)

Monday, March 31st, 2014

Type: ACL Failures
Location: Remote
Impact: Low
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.23, 11.40.1.13 & 11.38.2.23
CVE: -
R911: 0139
Date: 2014-03-31
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a reseller to enable and/or disable certain features for their sub accounts that should not be available to them as they are intended for admins only.

Impact:

We have deemed this vulnerability to be rated as LOW due to the fact that no sensitive data can be obtained and this is more of a nuisance exploit than anything else.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.23, 11.40.1.13 & 11.38.2.23.

Vendor Contact Timeline:

2013-12-25: Vendor contacted via email.
2014-02-05: Vendor confirms vulnerability.
2014-03-24: Vendor issues updates to all builds.
2014-03-31: Rack911 issues security advisory.

cPanel – Update Analysis Insecure File Permissions (R911-0138)

Monday, March 31st, 2014

Type: Insecure File Permissions
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.23, 11.40.1.13 & 11.38.2.23
CVE: -
R911: 0138
Date: 2014-03-31
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is an option to send update logs to cPanel which is not enabled by default, but if the option is turned on then it is possible for a malicious user to obtain the contents which could include sensitive information in the various access and error logs.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that some sensitive information pertaining to users and admins could be obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.23, 11.40.1.13 & 11.38.2.23.

Vendor Contact Timeline:

2014-02-05: Vendor contacted via email.
2014-02-05: Vendor confirms vulnerability.
2014-03-24: Vendor issues updates to all builds.
2014-03-31: Rack911 issues security advisory.

cPanel – cPAddons Moderation Stored XSS (R911-0137)

Monday, March 31st, 2014

Type: XSS
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.23, 11.40.1.13 & 11.38.2.23
CVE: -
R911: 0137
Date: 2014-03-31
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to create a stored XSS vulnerability within the cPAddons moderation files which could cause dangerous code to be rendered within the administrators web browser when using WHM.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that dangerous code can be rendered within the administrators web browser.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.23, 11.40.1.13 & 11.38.2.23.

Vendor Contact Timeline:

2014-02-15: Vendor contacted via email.
2014-02-18: Vendor confirms vulnerability.
2014-03-24: Vendor issues updates to all builds.
2014-03-31: Rack911 issues security advisory.

cPanel – Activate Remote Name Servers Arbitrary Command Execution (R911-0136)

Monday, March 31st, 2014

Type: Arbitrary Command Execution
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.23, 11.40.1.13 & 11.38.2.23
CVE: -
R911: 0136
Date: 2014-03-31
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

There is an arbitrary command execution within the activate_remote_nameservers.cgi feature when using the SoftLayer module and possibly also the VPS.NET module. The end result is that a reseller would be able to run any command as root which would ultimately lead to a privilege escalation. This exploit also includes an input validation failure.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.42.0.23, 11.40.1.13 & 11.38.2.23.

Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-02-03: Vendor confirms vulnerability.
2014-03-24: Vendor issues updates to all builds.
2014-03-31: Rack911 issues security advisory.

Webmin – Statistics Hardlink Arbitrary File Access (R911-0135)

Thursday, March 13th, 2014

Type: Hardlink Arbitrary File Access
Location: Local
Impact: High
Product: Webmin
Website: http://www.webmin.com/
Vulnerable Version: 1.670
Fixed Version: 1.680
CVE: -
R911: 0135
Date: 2014-03-13
By: Rack911

Product Description:

Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely.

Vulnerability Description:

It is possible for a malicious user to view any file on the server, including root owned files, by using a hardlink pointing to the Webalizer and AwStats statistics files and then accessing the features within Webmin.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.

Vulnerable Version:

This vulnerability was tested against Webmin 1.670.

Fixed Version:

This vulnerability was patched in Webmin 1.680.

Vendor Contact Timeline:

2014-03-10: Vendor contacted via email.
2014-03-11: Vendor confirms vulnerability.
2014-03-13: Vendor issues 1.680 update.
2014-03-13: Rack911 issues security advisory.

Webmin – PHP Config Hardlink Arbitrary File Access (R911-0134)

Thursday, March 13th, 2014

Type: Hardlink Arbitrary File Access
Location: Local
Impact: High
Product: Webmin
Website: http://www.webmin.com/
Vulnerable Version: 1.670
Fixed Version: 1.680
CVE: -
R911: 0134
Date: 2014-03-13
By: Rack911

Product Description:

Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely.

Vulnerability Description:

It is possible for a malicious user to view any file on the server, including root owned files, by using a hardlink pointing to the user PHP config file and then editing the configuration within Webmin.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.

Vulnerable Version:

This vulnerability was tested against Webmin 1.670.

Fixed Version:

This vulnerability was patched in Webmin 1.680.

Vendor Contact Timeline:

2014-03-10: Vendor contacted via email.
2014-03-11: Vendor confirms vulnerability.
2014-03-13: Vendor issues 1.680 update.
2014-03-13: Rack911 issues security advisory.

HostBill – Admin Chat Generate Code CSRF & XSS Vulnerability (R911-0133)

Thursday, March 13th, 2014

Type: XSS
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2014-03-10
Fixed Version: 2014-03-12
CVE: -
R911: 0133
Date: 2014-03-13
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

Due to both a CSRF and XSS vulnerability present within the Chat Generate Code configuration page, it is possible for a malicious user to perform an attack against staff accounts with minimal effort.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that staff account(s) can potentially be interfered with.

Vulnerable Version:

This vulnerability was tested against HostBill 2014-03-10.

Fixed Version:

This vulnerability was patched in HostBill 2014-03-12.

Vendor Contact Timeline:

2014-03-12: Vendor contacted via email.
2014-03-12: Vendor confirms vulnerability.
2014-03-12: Vendor issues 2014-03-12 update.
2014-03-13 Rack911 issues security advisory.

ArcticDesk – Custom Module Local File Inclusion Vulnerability (R911-0132)

Friday, March 7th, 2014

Type: LFI
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.4
Fixed Version: 1.2.5
CVE: -
R911: 0132
Date: 2014-03-07
By: Rack911

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

There is a local file inclusion vulnerability present within ArcticDesk that would allow a malicious user to open files which could yield sensitive information. Under the right circumstances, it may even be possible to turn this into a remote file inclusion which could allow a commands to be executed.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can obtain sensitive data.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.4.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.5.

Vendor Contact Timeline:

2014-02-27: Vendor contacted via email.
2014-02-27: Vendor confirms vulnerability.
2014-03-07: Vendor issues 1.2.5 update.
2014-03-07: Rack911 issues security advisory.

HostBill – Email Templates CSRF/XSS Admin Hijack Vulnerability (R911-0131)

Tuesday, March 4th, 2014

Type: CSRF / XSS
Location: Remote
Impact: High
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2014-02-24
Fixed Version: 2014-03-03
CVE: -
R911: 0131
Date: 2014-03-04
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

Due to both a CSRF and XSS vulnerability present within the Email Templates configuration page, it is possible for a malicious user to hijack staff accounts with minimal effort.

For example, the malicious user could submit a trouble ticket asking the staff member to check his website. Once the staff member views the website, the malicious CSRF and XSS code will be executed against HostBill resulting in the session information being sent to the malicious user thus allowing unauthorized access to the staff account within HostBill.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the staff account(s) can be hijacked.

Vulnerable Version:

This vulnerability was tested against HostBill 2014-02-24.

Fixed Version:

This vulnerability was patched in HostBill 2014-03-03.

Vendor Contact Timeline:

2014-03-03: Vendor contacted via email.
2014-03-03: Vendor confirms vulnerability.
2014-03-03: Vendor issues 2014-03-03 update.
2014-03-04: Rack911 issues security advisory.