IP.Board 3.3.x & 3.4.x – Send Messages Input Validation Failure (R911-0174)

May 1st, 2015

Type: Input Validation
Location: Remote
Impact: High
Product: IP.Board
Website: https://www.invisionpower.com/apps/board/
Vulnerable Version: 3.3.x & 3.4.x
CVE: -
R911: 0174
Date: 2015-05-01
By: RACK911 Labs

Product Description:

Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available.

Vulnerability Description:

Due to an input validation failure, it is possible for a malicious user to hijack any message belonging to another user.

Impact:

We have deemed this vulnerability to be rated HIGH due to the fact that a malicious user can intercept user conversations.

Vulnerable Version:

This vulnerability was tested against IP.Board 3.4.7 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in IP.Board 3.3.x & 3.4.x which can be downloaded from the vendors website:

http://community.invisionpower.com/blogs/entry/9729-ipboard-33x-34x-security-update/

Vendor Contact Timeline:

2015-04-23: Vendor contacted via email.
2015-04-24: Vendor confirms vulnerability.
2015-05-01: Vendor issues patches.
2015-05-01: RACK911 Labs issues security advisory.

vBulletin 5 – Private Messages Input Validation Failure (R911-0173)

April 24th, 2015

Type: Input Validation
Location: Remote
Impact: Medium
Product: vBulletin
Website: https://www.vbulletin.com
Vulnerable Version: 5.1.4 – 5.1.6
CVE: -
R911: 0173
Date: 2015-04-24
By: RACK911 Labs

Product Description

vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server.

Vulnerability Description

Due to an input validation failure, it is possible for a malicious user to inject messages into existing conversations without authorization.

Impact

We have deemed this vulnerability to be rated as MEDIUM due to the fact that a malicious user can impersonate another user which could lead to additional compromises.

Vulnerable Version

This vulnerability was tested against vBulletin 5.1.6 and is believed to exist in all prior versions.

Fixed Version

This vulnerability was patched in vBulletin 5.1.4 to 5.1.6. Patches are available under the members section of vBulletin’s website.

Vendor Contact Timeline

2015-04-16: Vendor contacted via email.
2015-04-20: Vendor confirms vulnerability.
2015-04-23: Vendor issues patches.
2015-04-24: RACK911 Labs issues security advisory.

Webmin – Read Mail Module Hardlink Arbitrary File Access (R911-0172)

January 27th, 2015

Type: Hardlink Arbitrary File Access
Location: Local
Impact: High
Product: Webmin
Website: http://www.webmin.com/
Vulnerable Version: 1.720
Fixed Version: 1.730
CVE: CVE-2015-1377
R911: 0172
Date: 2015-01-27
By: RACK911

Product Description:

Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely.

Vulnerability Description:

It is possible for a malicious user to view any file on the server, including root owned files, by creating a hardlink under the user accessible mail directory which will then be rendered within Webmin.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.

Vulnerable Version:

This vulnerability was tested against Webmin 1.720.

Fixed Version:

This vulnerability was patched in Webmin 1.730.

Vendor Contact Timeline:

2014-12-09: Vendor contacted via email.
2014-12-09: Vendor confirms vulnerability.
2015-01-01: Vendor issues 1.730 update.
2015-01-27: RACK911 issues security advisory.

Usermin – Read Mail Module Hardlink Arbitrary File Access (R911-0171)

January 27th, 2015

Type: Hardlink Arbitrary File Access
Location: Local
Impact: High
Product: Usermin
Website: http://www.webmin.com/usermin.html
Vulnerable Version: 1.630
Fixed Version: 1.640
CVE: CVE-2015-1377
R911: 0171
Date: 2015-01-27
By: RACK911

Product Description:

Usermin is a web-based interface for webmail, password changing, mail filters, fetchmail and much more. It is designed for use by regular non-root users on a Unix system, and limits them to tasks that they would be able to perform if logged in via SSH or at the console.

Vulnerability Description:

It is possible for a malicious user to view any file on the server, including root owned files, by creating a hardlink under the user accessible mail directory which will then be rendered within Usermin.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive information can be obtained.

Vulnerable Version:

This vulnerability was tested against Usermin 1.630.

Fixed Version:

This vulnerability was patched in Usermin 1.640.

Vendor Contact Timeline:

2014-12-09: Vendor contacted via email.
2014-12-09: Vendor confirms vulnerability.
2015-01-01: Vendor issues 1.640 update.
2015-01-27: RACK911 issues security advisory.

Idera Server Backup Manager (R1Soft) – Session Fixation Vulnerability (R911-0170)

October 29th, 2014

Type: Session Fixation
Location: Remote
Impact: High
Product: Idera Server Backup Manager (R1Soft)
Website: http://www.idera.com
Vulnerable Version: All versions prior to fixed version.
Fixed Version: 5.8.1
CVE:
R911: 0170
Date: 2014-10-29
By: RACK911

Product Description:

Idera Server Backup Manager is an affordable, high-performance, disk-to-disk backup software for Linux and Windows servers. (This software was previously more commonly known as R1Soft Backup.)

Vulnerability Description:

It is possible for a malicious user to clone an authenticated user / admin session which could result in unauthorized access.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that unauthorized access could be obtained.

Vulnerable Version:

This vulnerability is believed to exist in all previous versions.

Fixed Version:

This vulnerability was patched in Idera Server Backup Manager (R1Soft) v5.8.1.

Vendor Contact Timeline:

2014-09-10: Vendor contacted via email.
2014-09-10: Vendor confirms vulnerability.
2014-10-27: Vendor issues update.
2014-10-29: RACK911 issues security advisory.

cPanel – Exim Valiases Arbitrary File Access (R911-0169)

July 28th, 2014

Type: Arbitrary File Access
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0169
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to obtain the contents of any file on a cPanel server, including sensitive root files, by modifying the user valias to include a carefully crafted string which can then be accessed via a specific email request.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a user can access any file on the server with minimal effort.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-06-22: Vendor contacted via email.
2014-06-22: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

cPanel – Adddns Input Validation Failure (R911-0168)

July 28th, 2014

Type: Input Validation Failure
Location: Remote
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0168
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious reseller to take ownership of the servers hostname DNS zone due to an input validation failure within the Adddns Function.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the malicious reseller could intercept email bounces, failures and other server communications intended for addresses that make use of the server hostname.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-06-22: Vendor contacted via email.
2014-06-22: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

cPanel – EasyApache & UPCP Denial of Service (R911-0167)

July 28th, 2014

Type: Denial of Service
Location: Local
Impact: High
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0167
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to prevent EasyApache & UPCP (cPanel Update) from running, should they execute a carefully crafted process.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a user can interfere with updates which could prevent a server from obtaining the necessary security patches.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-04-09: Vendor contacted via email.
2014-04-14: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

cPanel – LeechProtect Denial of Service (R911-0166)

July 28th, 2014

Type: Denial of Service
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0166
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to crash the LeechProtect service on cPanel by modifying the necessary mod_rewrite rules to include a certain string. The malicious user then opens the page being protected by LeechProtect and the crash will occur.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that the LeechProtect service can be crashed but no sensitive information obtained.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-03-10: Vendor contacted via email.
2014-03-19: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.

cPanel – LeechProtect Unauthorized Htpasswd Modification (R911-0165)

July 28th, 2014

Type: Content Modification
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18
CVE: -
R911: 0165
Date: 2014-07-28
By: RACK911

Product Description:

cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.

Vulnerability Description:

It is possible for a malicious user to interfere with another users .htpasswds file by modifying the necessary mod_rewrite rules to include a different directory. When the user intentionally triggers a suspension via LeechProtect, the other users .htpasswds file will then be modified without authorization.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that the LeechProtect service can be manipulated into interfering with other users accounts.

Vulnerable Version:

This vulnerability was tested against cPanel 11.42.0.19 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in cPanel 11.44.1.5, 11.44.0.29, 11.42.1.23 & 11.40.1.18.

Vendor Contact Timeline:

2014-03-10: Vendor contacted via email.
2014-03-10: Vendor confirms vulnerability.
2014-07-21: Vendor issues updates to all builds.
2014-07-28: RACK911 issues security advisory.