WHMreseller is a control panel developed for creating Master Resellers and Resellers. With the Master Reseller privilege, a reseller can resell reseller accounts, control the reseller quotas, assign private name servers, suspend, unsuspend, as well as terminate resellers.
A malicious reseller can upload a tainted backup archive that when restored would give the reseller "all" privileges which translates to root level access.
Proof of Concept:
Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.
We have deemed this vulnerability to be rated as HIGH due to the fact that root level access can be obtained.
This vulnerability was tested against WHMreseller v4.119 and is believed to exist in previous versions.
This vulnerability was patched in WHMreseller v4.127.