Virtualizor – CSRF (Add Admin) (R911-0029)

Type: CSRF (Add Admin)
Impact: High
Product: Virtualizor
Website: http://www.virtualizor.com/
Vulnerable Version: 2.2.9
Fixed Version: 2.3.0
CVE: -
R911: 0029
Date: 2013-06-19
By: http://www.rack911.com

Product Description:

Virualizor is a powerful web based VPS Control Panel. It supports OpenVZ, Xen PV, Xen HVM and Linux KVM virtualization. Admins can create a VPS on the fly by the click of a button VPS users can start, stop, restart and manage their VPS using a very advanced web based GUI.

Vulnerability Description:

A CSRF (Cross Site Request Forgery) exists in the default settings of Virtualizor that would allow an attacker to create a new administrator account should a legitimate administrator view a website containing the malicious code.

Proof of Concept:

Due to the nature of this vulnerability, we will not be releasing a POC until a much later date after everyone has updated.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user would be able to obtain administrative access.

Vulnerable Version:

This vulnerability was tested against Virtualizor v2.2.9.

Fixed Version:

This vulnerability was fixed in Virtualizor v2.3.0.

Vendor Contact Timeline:

2013-05-21: Vendor contacted via email.
2013-05-22: Vendor confirms vulnerability.
2013-06-13: Vendor issues 2.3.0 update.
2013-06-19: Rack911 issues security advisory.