Results 1 to 2 of 2
-
12-24-2013, 01:20 AM #1Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
CloudLinux - CageFS (postmodifyacct) Input Validation Failure
Type: Input Validation Failure
Location: Remote
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: CageFS 5.2-12
Fixed Version: CageFS 5.2-15
CVE: -
R911: R911-0108
Date: 2013-12-23
By: Rack911
CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.
Vulnerability Description:
Due to an input validation failure present within the postmodifyacct script for cPanel, it is possible for a malicious reseller to disable CageFS and perform other commands intended for an administrator.
Proof of Concept:
A POC may be provided at a later date.
Impact:
We have deemed this vulnerability to be rated as HIGH due to the fact that CageFS can be disabled.
Vulnerable Version:
This vulnerability was tested against CloudLinux CageFS 5.2-12 and is believed to exist in all prior versions.
Fixed Version:
This vulnerability was patched in CloudLinux CageFS 5.2-15.
Vendor Contact Timeline:
2013-12-20: Vendor contacted via email.
2013-12-21: Vendor confirms vulnerability.
2013-12-23: Vendor issues update.
2013-12-23: Rack911 issues security advisory.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
12-24-2013, 01:20 AM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
To update:
To update:
$ yum update cagefsSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
Similar Threads
-
Admin-Ahead Bulk DNS TTL Changer (cPanel) - Input Validation Failure (R911-0088)
By Steven in forum VulnerabilitiesReplies: 0Last Post: 11-18-2013, 12:13 PM -
CloudLinux CageFS Security Release
By EthernetServers in forum Hosting Security and TechnologyReplies: 6Last Post: 06-21-2013, 01:06 PM -
PHP Input Validation Class w/ support/tutorial here!
By Matt R in forum Programming DiscussionReplies: 11Last Post: 08-01-2012, 10:25 PM -
PHP input validation (eregi)
By Looie in forum Programming DiscussionReplies: 8Last Post: 03-20-2008, 09:48 PM -
User Input => Validation Tips
By seodevhead in forum Programming DiscussionReplies: 4Last Post: 10-06-2005, 03:33 PM