Type: CSRF (Add Admin)
Vulnerable Version: 2.2.9
Fixed Version: 2.3.0
Virualizor is a powerful web based VPS Control Panel. It supports OpenVZ, Xen PV, Xen HVM and Linux KVM virtualization. Admins can create a VPS on the fly by the click of a button VPS users can start, stop, restart and manage their VPS using a very advanced web based GUI.
A CSRF (Cross Site Request Forgery) exists in the default settings of Virtualizor that would allow an attacker to create a new administrator account should a legitimate administrator view a website containing the malicious code.
Proof of Concept:
Due to the nature of this vulnerability, we will not be releasing a POC until a much later date after everyone has updated.
We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user would be able to obtain administrative access.
This vulnerability was tested against Virtualizor v2.2.9.
This vulnerability was fixed in Virtualizor v2.3.0.
Vendor Contact Timeline:
2013-05-21: Vendor contacted via email.
2013-05-22: Vendor confirms vulnerability.
2013-06-13: Vendor issues 2.3.0 update.
2013-06-19: Rack911 issues security advisory.