Type: Directory Traversal
Vulnerable Version: 4.2.2
Fixed Version: 4.2.3
Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.
An attacker can access Softaculous via cPanel and manipulate the backup feature to download system files by using a basic directory traversal.
Proof of Concept:
1. Log into cPanel using a standard account.
2. Open the following URL after the cPanel session:
Note: The length of the directory traversal will depend on where the scripts directory is located. You may have to add additional ../’s for this attack to work.
We have deemed this vulnerability to be rated as LOW due to the fact that Softaculous when accessed via cPanel is done so as the user and thus limits the scope of what files can be downloaded.
This vulnerability was tested against Softaculous v4.2.2 for cPanel but is also confirmed to work under InterWorx with some slight changes to the exploit code.
This vulnerability was patched in version v4.2.3.
Vendor Contact Timeline:
2013-05-03: Vendor contacted via email.
2013-05-04: Vendor confirms vulnerability.
2013-05-06: Vendor issues v4.2.3 update.
2013-05-06: Rack911 issues security advisory.