Softaculous – Directory Traversal (R911-0001)

Type: Directory Traversal
Impact: Low
Product: Softaculous
Website: http://www.softaculous.com
Vulnerable Version: 4.2.2
Fixed Version: 4.2.3
CVE: -
R911: 0001
Date: 2013-05-06
By: https://www.rack911.com

Product Description:

Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.

Vulnerability Description:

An attacker can access Softaculous via cPanel and manipulate the backup feature to download system files by using a basic directory traversal.

Proof of Concept:

1. Log into cPanel using a standard account.

2. Open the following URL after the cPanel session:

/frontend/x3/softaculous/index.live.php?act=backups&download=../../../../../../etc/hosts

Note: The length of the directory traversal will depend on where the scripts directory is located. You may have to add additional ../’s for this attack to work.

Impact:

We have deemed this vulnerability to be rated as LOW due to the fact that Softaculous when accessed via cPanel is done so as the user and thus limits the scope of what files can be downloaded.

Vulnerable Version:

This vulnerability was tested against Softaculous v4.2.2 for cPanel but is also confirmed to work under InterWorx with some slight changes to the exploit code.

Fixed Version:

This vulnerability was patched in version v4.2.3.

Vendor Contact Timeline:

2013-05-03: Vendor contacted via email.
2013-05-04: Vendor confirms vulnerability.
2013-05-06: Vendor issues v4.2.3 update.
2013-05-06: Rack911 issues security advisory.