Type: Arbitrary Command Execution
Vulnerable Version: v6.4
Fixed Version: v6.5
WHMPHP is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas , assign private name servers, suspend, unsuspend, as well as terminate resellers.
There is a flaw within the IP Unblocker (CSF) feature that allows an attacker to manipulate WHMPHP to run commands as root via a normal reseller account under WHM or a master reseller account under cPanel.
Proof of Concept:
Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.
We have deemed this vulnerability to be rated as HIGH due to the fact that a normal user can gain an instant root shell.
This vulnerability was tested against WHMPHP v6.4 and is believed to exist in all prior versions.
This vulnerability was patched in WHMPHP 6.5.
Vendor Contact Timeline:
2013-05-23: Vendor contacted via email.
2013-05-25: Vendor confirms vulnerability.
2013-05-25: Vendor issues update.
2013-09-18: Rack911 issues security advisory.