WHMPHP – Arbitrary Command Execution (R911-0070)

Type: Arbitrary Command Execution
Location: Local
Impact: High
Product: WHMPHP
Website: http://www.whmphp.com
Vulnerable Version: v6.4
Fixed Version: v6.5
CVE: -
R911: 0070
Date: 2013-09-18
By: Rack911

Product Description:

WHMPHP is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas , assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

There is a flaw within the IP Unblocker (CSF) feature that allows an attacker to manipulate WHMPHP to run commands as root via a normal reseller account under WHM or a master reseller account under cPanel.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.


We have deemed this vulnerability to be rated as HIGH due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against WHMPHP v6.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in WHMPHP 6.5.

Vendor Contact Timeline:

2013-05-23: Vendor contacted via email.
2013-05-25: Vendor confirms vulnerability.
2013-05-25: Vendor issues update.
2013-09-18: Rack911 issues security advisory.