Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Softaculous - Important Security Update


Softaculous - Important Security Update




Posted by Patrick, 05-06-2013, 03:30 PM
Product Description: Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere. Vulnerability Description: An attacker posing as a reseller can access Softaculous via WHM and using a particular URL open the error page that is supposed to be restricted to root users. By default the error page will open a log file called error_log.log under the scripts directory, however an attacker can force the error page to read and/or delete any file on the server due to a fundamental flaw in WHM that allows plugins to be executed as root. Proof of Concept: Due to the nature of this vulnerability, a Proof of Concept will be released one week from now to give affected users a chance to upgrade. Impact: We have deemed this vulnerability to be rated as CRITICAL due to the fact that Softaculous when accessed via WHM is done so as root and can read any file regardless of ownership. (The error page will also allow the attacker the ability to wipe any file which could potentially render a server inoperable.) Vulnerable Version: This vulnerability was tested against Softaculous v4.2.2 for cPanel but is also confirmed to work under InterWorx with some slight changes to the exploit code. Fixed Version: This vulnerability was patched in version v4.2.3. Vendor Contact Timeline: 2013-05-03: Vendor contacted via email. 2013-05-04: Vendor confirms vulnerability. 2013-05-06: Vendor issues v4.2.3 update. 2013-05-06: Rack911 issues security advisory. <> Last edited by bear; 05-07-2013 at 01:58 PM.
Posted by Patrick, 05-06-2013, 03:32 PM
Product Description: Softaculous is the leading auto installer with over 300 applications that can be installed by a click of the mouse. The software is in use by thousands of web hosting companies and works with various control panels such as cPanel, Plesk, DirectAdmin, InterWorx and H-Sphere. Vulnerability Description: An attacker can access Softaculous via cPanel and manipulate the backup feature to download system files by using a basic directory traversal. Proof of Concept: 1. Log into cPanel using a standard account. 2. Open the following URL after the cPanel session: /frontend/x3/softaculous/index.live.php?act=backups&download=../../../../../../etc/hosts Note: The length of the directory traversal will depend on where the scripts directory is located. You may have to add additional ../'s for this attack to work. Impact: We have deemed this vulnerability to be rated as LOW due to the fact that Softaculous when accessed via cPanel is done so as the user and thus limits the scope of what files can be downloaded. Vulnerable Version: This vulnerability was tested against Softaculous v4.2.2 for cPanel but is also confirmed to work under InterWorx with some slight changes to the exploit code. Fixed Version: This vulnerability was patched in version v4.2.3. Vendor Contact Timeline: 2013-05-03: Vendor contacted via email. 2013-05-04: Vendor confirms vulnerability. 2013-05-06: Vendor issues v4.2.3 update. 2013-05-06: Rack911 issues security advisory. <> Last edited by bear; 05-07-2013 at 01:58 PM.
Posted by Dougy, 05-06-2013, 03:36 PM
Got to love cPanel... /me is glad he loves DA time
Posted by Webhostpython, 05-06-2013, 03:49 PM
Thank you Patrick for sharing this information
Posted by HostMantis, 05-06-2013, 04:21 PM
Thanks for sharing, however the proof of concept really shouldn't be posted here until everyone has had a chance to update.
Posted by CodyRo, 05-06-2013, 04:22 PM
Huh? It's an issue with Softaculous. Softaculous is supported on Direct Admin. Whether their plugin is vulnerable to this on that platform I'm not sure however your comment makes no sense. The PoC posted has limited value.
Posted by Patrick, 05-06-2013, 04:30 PM
Yes. We made a decision to withhold the root level PoC for at least a week. The one posted is very limited and the same information gained there could be gained by many other legitimate means - SSH access for one. We will be publishing a handful of advisories in the weeks to come, including another root exploit affecting a popular control panel and several admin flaws affecting popular billing / help desk software suites. We're just waiting on developers to issue patches and go from there. Edit: Our goal is to help make the hosting community safer but we also believe in full disclosure which is why all exploits will be made public after a reasonable amount of time has passed. Hopefully developers will look at how these attacks occur and use them as a reference to make their own software more secure. Last edited by Patrick; 05-06-2013 at 04:36 PM.
Posted by Atlanical-Mike, 05-06-2013, 04:52 PM
Thank you for the announcement Patrick.
Posted by techjr, 05-06-2013, 05:52 PM
I believe the statement was made because plugins run as root. If they didn't... which they shouldn't. This exploit wouldn't have happened in the first place. Or that's my understanding of how cPanel works.
Posted by Hostissimus, 05-06-2013, 05:55 PM
Thanks for the warning!
Posted by Patrick, 05-06-2013, 05:59 PM
They run all plugins within WHM as root which anyone with a brain can tell is a really bad idea in a non-trusted environment. We will be issuing a general security advisory in the next couple of days to bring attention to the matter along with some old proof of concept's to show how easy it is to gain root access through a third party plugin. I think some of you will be shocked by cPanel's response...
Posted by Steven, 05-06-2013, 05:59 PM
If cpanel didn't allow reseller plugins to run as root, no there would be no privileged information disclosure, but there would still be a bug in softaculous.
Posted by RRWH, 05-06-2013, 10:04 PM
Thanks for the disclosure - and anyone running Softaculous who has automated updates enabled should update within the next 24 hours (Noted that I got the emails a few hours ago stating it had updated).
Posted by brianoz, 05-07-2013, 07:29 AM
Am I right in my understanding here that to be able to exploit both of these they need to be logged in? And to exploit the root access version they need to be logged in as a reseller? I understand that this makes us all vulnerable via stolen credentials, but just wanting to position the vulnerability more accurately in my mind.
Posted by Patrick, 05-07-2013, 07:33 AM
Both of those statements are correct, the attacker needs to be logged in and they need to be a reseller. However... A much more damaging exploit has been found by Steven and a couple friends of Rack911 where a standard user (non-reseller) can takeover a root account with one command! It is much worse than the ones I published above. Details regarding the new exploit will be coming later today along with a temporary workaround.
Posted by Zimple, 05-07-2013, 08:56 AM
Many thanks for shearing this information.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
DDOS protected reseller hosting (Views: 716)
IP Address Question (Views: 728)
VMWare Data Recovery 1.2 issues with vSphere 4.1 (Views: 657)
Using an id that was generated via auto incrementation using "null" (Views: 701)
Privatelayer server down for 48 hours no replay i'm really lost :( (Views: 781)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.