OnApp – Password Reset Arbitrary File Disclosure (R911-0161)

Type: Arbitrary File Disclosure
Location: Local
Impact: High
Product: OnApp
Website: http://www.onapp.com
Vulnerable Version: All builds prior to fixed version below.
Fixed Version: 3.2.2-29
CVE: -
R911: 0161
Date: 2014-06-05
By: RACK911

Product Description:

OnApp software enables Infrastructure-as-a-Service for hosts, telcos and other service providers. With OnApp in your datacenter you can use commodity hardware to sell public & private cloud services, dedicated servers, Virtual Private Servers, CDN, DNS, storage and much more, through one fully automated control panel.

Vulnerability Description:

It is possible for a malicious user to view the contents of any file on the HyperVisor due to an arbitrary file disclosure vulnerability present within the (root) Password Reset functionality of OnApp.


We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive files on the HyperVisor can be accessed.

Vulnerable Version:

This vulnerability is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in OnApp 3.2.2-29: https://docs.onapp.com/display/RN/3.2.2-29+Update

Vendor Contact Timeline:

2014-05-28: Vendor contacted via email.
2014-05-28: Vendor confirms vulnerability.
2014-06-04: Vendor issues updates to all builds.
2014-06-05: RACK911 issues security advisory.