Results 1 to 2 of 2
  1. #1
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910

    UNIXY Varnish (cPanel Plugin) - Content Manipulation (R911-0092)

    Type: Content Manipulation
    Location: Local
    Impact: High
    Product: UNIXY cPanel Varnish
    Website: http://www.unixy.net
    Vulnerable Version: 1.8.4
    Fixed Version: 1.8.6
    CVE: -
    R911: 0092
    Date: 2013-11-20
    By: Rack911
    Product Description:

    The UNIXY cPanel plugin comes with a Web interface to manage Varnish via cPanel WHM. The cPanel app takes the complexity out of Varnish in a consolidated one-stop interface. The script allows you to uninstall Varnish, modify Varnish settings, lookup caching stats, refresh the Varnish cache, restart Varnish, and much more!

    Vulnerability Description:

    A malicious user can redirect any website on the server to a malicious website due Varnish being installed by the plugin using an insecure manner.

    Impact:

    We have deemed this vulnerability to be rated as HIGH due to the fact that any website on the server can be effectively hijacked.

    Vulnerable Version:

    This vulnerability was tested against UNIXY cPanel Varnish v1.8.4 and is believed to exist in all prior versions.

    Fixed Version:

    This vulnerability was *silently* patched in UNIXY cPanel Varnish v1.8.6.


    Vendor Contact Timeline:

    2013-10-12: Vendor contacted via email.
    2013-10-12: Vendor confirms vulnerability.
    2013-11-??: Vendor issues v1.8.6 update.
    2013-11-20: Rack911 issues security advisory.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    We stand corrected, this update was not patched silently. A notice was sent out but we never received it, nor was there any mention on their Twitter or home page of it...
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

Similar Threads

  1. Replies: 1
    Last Post: 11-20-2013, 05:59 PM
  2. cPanel - Content Manipulation Vulnerability (R911-0044)
    By Steven in forum Hosting Security and Technology
    Replies: 5
    Last Post: 08-06-2013, 01:50 PM
  3. cPanel - Content Manipulation Vulnerability (R911-0043)
    By Steven in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-18-2013, 10:27 PM
  4. cPanel - Content Manipulation Vulnerability (R911-0041)
    By Steven in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-18-2013, 10:26 PM
  5. cPanel - Content Manipulation Vulnerability (R911-0042)
    By Steven in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-18-2013, 10:25 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •