Softaculous – Import (cPanel) Privilege Escalation (R911-0111)

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Softaculous
Website: http://www.softaculous.com
Vulnerable Version: 4.3.6
Fixed Version: 4.3.8
CVE: -
R911: 0111
Date: 2014-01-02
By: Rack911

Product Description:

Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.

Vulnerability Description:

It is possible for a malicious user to exploit a privilege escalation vulnerability within the Import function of Softaculous for cPanel which could lead to a root compromise.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that interactive root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Softaculous v4.3.6 for cPanel but it may exist in other control panel versions as well.

Fixed Version:

This vulnerability was patched in Softaculous v4.3.8.

Vendor Contact Timeline:

2013-12-31: Vendor contacted via email.
2014-01-01: Vendor confirms vulnerability.
2014-01-02: Vendor issues v4.3.8 update.
2014-01-02: Rack911 issues security advisory.