Softaculous – Upgrade Installation (cPanel) Privilege Escalation (R911-0114)

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Softaculous
Website: http://www.softaculous.com
Vulnerable Version: 4.3.9
Fixed Version: 4.4.0
CVE: -
R911: 0114
Date: 2014-01-16
By: Rack911

Product Description:

Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.

Vulnerability Description:

It is possible for a malicious reseller to exploit a privilege escalation vulnerability within the Upgrade Installation function of Softaculous (cPanel) that could lead to a root compromise.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that interactive root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Softaculous v4.3.9 for cPanel but it may exist in other control panel versions as well.

Fixed Version:

This vulnerability was patched in Softaculous v4.4.0.

Vendor Contact Timeline:

2014-01-14: Vendor contacted via email.
2014-01-14: Vendor confirms vulnerability.
2014-01-15: Vendor issues v4.4.0 update.
2014-01-16: Rack911 issues security advisory.