Type: Insecure File Permissions
Product: Admin-Ahead Bulk DNS TTL Changer
Vulnerable Version: 1.0.0
Fixed Version: 1.0.1
Here we introduce the A-AST Bulk DNS TTL changer v1.0 for cPanel/WHM. With this interface, you get to lower TTL values for multiple domains all at once, and make sure that the DNS information that you change will take effect in a shorter interval of time. What’s more? Once your migration is complete, you can use this same tool to raise the DNS TTL values of multiple domains and thus make life a little easier on name servers.
Due to insecure file permissions when the plugin is installed, it is possible under certain circumstances for a user to modify the files which could lead to a root compromise.
We have deemed this vulnerability to be rated as MEDIUM due to the fact that files can be modified under certain circumstances by a specific user.
This vulnerability was tested against Admin-Ahead Bulk DNS TTL Changer v1.0.0 and is believed to exist in all prior versions.
This vulnerability was patched in Admin-Ahead Bulk DNS TTL Changer v1.0.1.
Vendor Contact Timeline:
2013-11-17: Vendor contacted via email.
2013-11-17: Vendor confirms vulnerability.
2013-11-18: Vendor issues 1.0.1 update.
2013-11-18: Rack911 issues security advisory.