WHMreseller – Arbitrary File Access (R911-0065)

Type: Arbitrary File Access
Location: Local
Impact: High
Product: WHMreseller
Website: http://www.deasoft.com/whmreseller.php
Vulnerable Version: v4.118
Fixed Version: v4.119
CVE: -
R911: 0065
Date: 2013-09-11
By: Rack911

Product Description:

WHMreseller is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas, assign private name servers, suspend, unsuspend, as well as terminate resellers.

Vulnerability Description:

There is a flaw within the Download Local Backup feature that allows an attacker to access any file regardless of ownership including the root access hash.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be accessed. Should the attacker target the root access hash, they would be able to use it to give themselves interactive root access by adding a specific SSH key.

Vulnerable Version:

This vulnerability was tested against WHMreseller v4.118 and is believed to exist in previous versions.

Fixed Version:

This vulnerability was patched in WHMreseller v4.119.

Vendor Contact Timeline:

2013-09-09: Vendor contacted via email.
2013-09-09: Vendor confirms vulnerability.
2013-09-10: Vendor issues v4.119 update.
2013-09-11: Rack911 issues security advisory.