cPnginx – Content Disclosure (Root Access) (R911-0008)

Type: Content Disclosure (Root Access)
Impact: High
Product: cPnginx
Website: http://www.cpnginx.com
Vulnerable Version: 6.2 and possibly earlier earlier.
Fixed Version: 6.3
CVE: -
R911: 0008
Date: 2013-05-21
By: http://www.rack911.com

Product Description:

The cPnginx is a cPanel nginx integration plugin. This plugin will increase your server performance and decrease server loads cased by apache web server. Nginx + cPanel + Apache = Performance boosted secured hosting server.

Vulnerability Description:

cPnginx allows access to sensitive php scripts via a reseller due to the lack of ACL usage.

Through these php scripts an attacker is able to implement nginx configuration changes which will allow the attacker to view any file on the server. It is possible for the server to operate normally with these changes implemented and it is possible to disable logging of malicious http requests which means an attacker could obtain sensitive data without logging their activities.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed regardless of ownership, including root files such as /etc/shadow, the MySQL root password, any private SSH keys, and every file in the /home directory can be viewed.

Work Around:

Upgrade to the latest version of cPnginx.

Vulnerable Version:

This vulnerability was tested against cPnginx 6.2 and it is believed that prior versions are also vulnerable.