WHMPHP – Insecure Credential Storage (R911-0069)

Type: Insecure Credential Storage
Location: Local
Impact: High
Product: WHMPHP
Website: http://www.whmphp.com
Vulnerable Version: v6.4
Fixed Version: v6.5
CVE: -
R911: 0069
Date: 2013-09-18
By: Rack911

Product Description:

WHMPHP is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas , assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

There is a fundamental failure in how WHMPHP operates that allows any user on the server, regardless if they are master resellers or not to view the root access hash that would ultimately allow an
attacker the ability to perform any function as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a normal user can perform any tasks as root.

Vulnerable Version:

This vulnerability was tested against WHMPHP v6.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in WHMPHP 6.5.

Vendor Contact Timeline:

2013-05-23: Vendor contacted via email.
2013-05-25: Vendor confirms vulnerability.
2013-08-31: Vendor issues update.
2013-09-18: Rack911 issues security advisory.