Type: Privilege Escalation
Vulnerable Version: 4.3.9
Fixed Version: 4.4.0
Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere.
It is possible for a malicious reseller to exploit a privilege escalation vulnerability within the Upgrade Installation function of Softaculous (cPanel) that could lead to a root compromise.
We have deemed this vulnerability to be rated as CRITICAL due to the fact that interactive root access can be obtained.
This vulnerability was tested against Softaculous v4.3.9 for cPanel but it may exist in other control panel versions as well.
This vulnerability was patched in Softaculous v4.4.0.
Vendor Contact Timeline:
2014-01-14: Vendor contacted via email.
2014-01-14: Vendor confirms vulnerability.
2014-01-15: Vendor issues v4.4.0 update.
2014-01-16: Rack911 issues security advisory.