Archive for May, 2014

cPanel – Fix Insecure Permissions Symlink Attack (R911-0150)

Monday, May 26th, 2014

Type: Symlink Attack
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.43.0.12, 11.42.1.16 & 11.40.1.14
CVE: -
R911: 0150
Date: 2014-05-26
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to trick the ‘Fix Insecure Permissions’ feature into performing a symlink attack that would ultimately allow access to other users content and other sensitive content.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a regular cPanel user can obtain sensitive information belonging to other users.

Vulnerable Version:

This vulnerability was tested against cPanel prior to the fixed versions below.

Fixed Version:

This vulnerability was patched in cPanel 11.43.0.12, 11.42.1.16 & 11.40.1.14.

Vendor Contact Timeline:

2014-04-03: Vendor contacted via email.
2014-04-03: Vendor confirms vulnerability.
2014-05-19: Vendor issues updates to all builds.
2014-05-26: Rack911 issues security advisory.

cPanel – BoxTrapper Denial of Service (R911-0149)

Monday, May 26th, 2014

Type: Denial of Service
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.43.0.12, 11.42.1.16 & 11.40.1.14
CVE: -
R911: 0149
Date: 2014-05-26
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to cause an extremely high load on any cPanel server due to a vulnerability within BoxTrapper that causes a Denial of Service attack when a carefully crafted request is sent to the web server.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that every cPanel server can be effectively disrupted.

Vulnerable Version:

This vulnerability was tested against cPanel prior to the fixed versions below.

Fixed Version:

This vulnerability was patched in cPanel 11.43.0.12, 11.42.1.16 & 11.40.1.14.

Vendor Contact Timeline:

2014-03-16: Vendor contacted via email.
2014-03-16: Vendor confirms vulnerability.
2014-05-19: Vendor issues updates to all builds.
2014-05-26: Rack911 issues security advisory.

cPanel – Session Information Disclosure Vulnerability (R911-0148)

Monday, May 26th, 2014

Type: Information Disclosure
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.43.0.12, 11.42.1.16 & 11.40.1.14
CVE: -
R911: 0148
Date: 2014-05-26
By: Rack911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

Under certain circumstances, it is possible for a malicious user to obtain the session information used for cPanel and it’s various services which could allow unauthorized access.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that unauthorized access is a possibility.

Vulnerable Version:

This vulnerability was tested against cPanel prior to the fixed versions below.

Fixed Version:

This vulnerability was patched in cPanel 11.43.0.12, 11.42.1.16 & 11.40.1.14.

Vendor Contact Timeline:

2014-03-05: Vendor contacted via email.
2014-03-05: Vendor confirms vulnerability.
2014-05-19: Vendor issues updates to all builds.
2014-05-26: Rack911 issues security advisory.

ArcticDesk – Template Local File Inclusion (R911-0147)

Friday, May 23rd, 2014

Type: Local File Inclusion
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.5
Fixed Version: 1.2.6
CVE: -
R911: 0147
Date: 2014-05-23
By: Rack911

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

Due to a local file inclusion vulnerability present within the template function, it is possible for a malicious user to access sensitive files and/or include PHP code which could be used to take over the ArcticDesk installation.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can take over the software.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.5.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.6.

Vendor Contact Timeline:

2014-05-15: Vendor contacted via email.
2014-05-15: Vendor confirms vulnerability.
2014-05-23: Vendor issues 1.2.6 update.
2014-05-23: Rack911 issues security advisory.

ArcticDesk – Language Local File Inclusion (R911-0146)

Friday, May 23rd, 2014

Type: Local File Inclusion
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.5
Fixed Version: 1.2.6
CVE: -
R911: 0146
Date: 2014-05-23
By: Rack911

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

Due to a local file inclusion vulnerability present within the language function, it is possible for a malicious user to access sensitive files and/or include PHP code which could be used to take over the ArcticDesk installation.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can take over the software.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.5.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.6.

Vendor Contact Timeline:

2014-05-15: Vendor contacted via email.
2014-05-15: Vendor confirms vulnerability.
2014-05-23: Vendor issues 1.2.6 update.
2014-05-23: Rack911 issues security advisory.

ArcticDesk – Module Local File Inclusion (R911-0145)

Friday, May 23rd, 2014

Type: Local File Inclusion
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.5
Fixed Version: 1.2.6
CVE: -
R911: 0145
Date: 2014-05-23
By: Rack911

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

Due to a local file inclusion vulnerability present within the module function, it is possible for a malicious user to access sensitive files and/or include PHP code which could be used to take over the ArcticDesk installation.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can take over the software.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.5.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.6.

Vendor Contact Timeline:

2014-05-15: Vendor contacted via email.
2014-05-15: Vendor confirms vulnerability.
2014-05-23: Vendor issues 1.2.6 update.
2014-05-23: Rack911 issues security advisory.

ArcticDesk – Admin Report Local File Inclusion (R911-0144)

Friday, May 23rd, 2014

Type: Local File Inclusion
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.5
Fixed Version: 1.2.6
CVE: -
R911: 0144
Date: 2014-05-23
By: Rack911

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

Due to a local file inclusion vulnerability present within the language function, it is possible for a restricted admin (Support / Billing Staff) to access sensitive files and/or include PHP code which could be used to take over the ArcticDesk installation.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious admin can take over the software.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.5.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.6.

Vendor Contact Timeline:

2014-05-15: Vendor contacted via email.
2014-05-15: Vendor confirms vulnerability.
2014-05-23: Vendor issues 1.2.6 update.
2014-05-23: Rack911 issues security advisory.

RACK911 Labs – Year In Review (2013)

Tuesday, May 6th, 2014

RACK911 Labs has released a “Year in Review” to discuss our security efforts in the hosting industry.

http://files.rack911labs.com/whitepapers/RACK911_Labs_-_Year_In_Review-2013.pdf

Within the report we talk about some statistics related to our public security advisories, such as the average time it takes a software developer to issue a patch and who the fastest of the control panels were.

It’s definitely worth a read and please share it with everyone! :)