Archive for June, 2014

SpamExperts (cPanel Plugin) – Arbitrary File Overwrite (R911-0163)

Wednesday, June 25th, 2014

Type: Arbitrary File Overwrite
Location: Local
Impact: High
Product: SpamExperts (cPanel Plugin)
Website: http://www.spamexperts.com/
Vulnerable Version: All builds prior to fixed.
Fixed Version: 3.0.68547
CVE: -
R911: 0163
Date: 2014-06-25
By: RACK911

Product Description

SpamExperts delivers managed email security in the cloud or on premises, tailored for webhosts: Incoming -, outgoing email filtering, and email archiving. Reduce churn, increase revenue, be 100% secure! Full API & standard integration and automation plugins for cPanel, Parallels products, DirectAdmin; Redundant, synchronized, and scalable; 4-Tier control panel; multi-level branding options; 24/7 support & SLAs; Fast release cycles and frequent updates!

Vulnerability Description

Due to an arbitrary file overwrite vulnerability, it is possible for an attacker to overwrite / create any file on the server and ultimately perform a privilege escalation that could allow them to obtain root access. This flaw is present within the cPanel plugin for SpamExperts.

Impact

We have deemed this vulnerability to be rated as HIGH due to the fact that root access can be obtained by creating /var/cpanel/skipparentcheck and then using the SpamExperts getconfig64 SUID binary to obtain the root access hash.

Vulnerable Version

This vulnerability is believed to be present in all builds prior to the fixed version.

Fixed Version

This vulnerability was patched in SpamExperts (cPanel Plugin) 3.0.68547.

Vendor Contact Timeline

2014-06-16: Vendor contacted.
2014-06-16: Vendor confirms vulnerability.
2014-06-21: Vendor issues update to plugin.
2014-06-25: Rack911 issues security advisory.

Vision HelpDesk – Module Local File Inclusion (R911-0162)

Thursday, June 5th, 2014

Type: LFI
Location: Remote
Impact: Medium
Product: Vision HelpDesk
Website: http://www.thevisionworld.com/
Vulnerable Version: 3.8.8
Fixed Version: 3.9.6
CVE: -
R911: 0162
Date: 2014-06-05
By: RACK911

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

Due to a Local File Inclusion vulnerability present within the module functionality, it is possible for a malicious user to access files which could yield sensitive information.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that sensitive information could be obtained.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 3.8.8 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 3.9.6.

Vendor Contact Timeline:

2014-05-15: Vendor contacted via email.
2014-06-05: Vendor confirms vulnerability.
2014-06-05: Vendor issues updates to all builds.
2014-06-05: Rack911 issues security advisory.

OnApp – Password Reset Arbitrary File Disclosure (R911-0161)

Thursday, June 5th, 2014

Type: Arbitrary File Disclosure
Location: Local
Impact: High
Product: OnApp
Website: http://www.onapp.com
Vulnerable Version: All builds prior to fixed version below.
Fixed Version: 3.2.2-29
CVE: -
R911: 0161
Date: 2014-06-05
By: RACK911

Product Description:

OnApp software enables Infrastructure-as-a-Service for hosts, telcos and other service providers. With OnApp in your datacenter you can use commodity hardware to sell public & private cloud services, dedicated servers, Virtual Private Servers, CDN, DNS, storage and much more, through one fully automated control panel.

Vulnerability Description:

It is possible for a malicious user to view the contents of any file on the HyperVisor due to an arbitrary file disclosure vulnerability present within the (root) Password Reset functionality of OnApp.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive files on the HyperVisor can be accessed.

Vulnerable Version:

This vulnerability is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in OnApp 3.2.2-29: https://docs.onapp.com/display/RN/3.2.2-29+Update

Vendor Contact Timeline:

2014-05-28: Vendor contacted via email.
2014-05-28: Vendor confirms vulnerability.
2014-06-04: Vendor issues updates to all builds.
2014-06-05: RACK911 issues security advisory.