Type: Privilege Escalation
Vulnerable Version: 4.3.6
Fixed Version: 4.3.8
Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.
It is possible for a malicious user to exploit a privilege escalation vulnerability within the Import function of Softaculous for cPanel which could lead to a root compromise.
We have deemed this vulnerability to be rated as CRITICAL due to the fact that interactive root access can be obtained.
This vulnerability was tested against Softaculous v4.3.6 for cPanel but it may exist in other control panel versions as well.
This vulnerability was patched in Softaculous v4.3.8.
Vendor Contact Timeline:
2013-12-31: Vendor contacted via email.
2014-01-01: Vendor confirms vulnerability.
2014-01-02: Vendor issues v4.3.8 update.
2014-01-02: Rack911 issues security advisory.