Type: Directory Traversal (Root Access)
Vulnerable Version: 4.2.2
Fixed Version: 4.2.3
Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.
An attacker posing as a reseller can access Softaculous via WHM and using a certain URL open the error page that is supposed to be restricted to root users.
By default the error page will open a log file called error_log.log under the scripts directory, however an attacker can force the error page to read and/or delete any file on the server due to a fundamental flaw in WHM that allows plugins to be executed as root.
Proof of Concept:
Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.
We have deemed this vulnerability to be rated as CRITICAL due to the fact that Softaculous when accessed via WHM is done so as root and can read any file regardless of ownership. (The error page will also allow the attacker the ability to wipe any file which could potentially render a server inoperable.)
This vulnerability was tested against Softaculous v4.2.2 for cPanel but is also confirmed to work under InterWorx with some slight changes to the exploit code.
This vulnerability was patched in version v4.2.3.
Vendor Contact Timeline:
2013-05-03: Vendor contacted via email.
2013-05-04: Vendor confirms vulnerability.
2013-05-06: Vendor issues v4.2.3 update.
2013-05-06: Rack911 issues security advisory.