Results 1 to 2 of 2
  1. #1
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681

    CloudLinux - CageFS (postmodifyacct) Input Validation Failure

    Type: Input Validation Failure
    Location: Remote
    Impact: High
    Product: CloudLinux
    Website: http://www.cloudlinux.com
    Vulnerable Version: CageFS 5.2-12
    Fixed Version: CageFS 5.2-15
    CVE: -
    R911: R911-0108
    Date: 2013-12-23
    By: Rack911
    Product Description:

    CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

    Vulnerability Description:

    Due to an input validation failure present within the postmodifyacct script for cPanel, it is possible for a malicious reseller to disable CageFS and perform other commands intended for an administrator.

    Proof of Concept:

    A POC may be provided at a later date.

    Impact:

    We have deemed this vulnerability to be rated as HIGH due to the fact that CageFS can be disabled.

    Vulnerable Version:

    This vulnerability was tested against CloudLinux CageFS 5.2-12 and is believed to exist in all prior versions.

    Fixed Version:

    This vulnerability was patched in CloudLinux CageFS 5.2-15.

    Vendor Contact Timeline:

    2013-12-20: Vendor contacted via email.
    2013-12-21: Vendor confirms vulnerability.
    2013-12-23: Vendor issues update.
    2013-12-23: Rack911 issues security advisory.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    To update:

    To update:
    $ yum update cagefs
    REF: http://cloudlinux.com/blog/clnews/422.php
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. Replies: 0
    Last Post: 11-18-2013, 12:13 PM
  2. CloudLinux CageFS Security Release
    By EthernetServers in forum Hosting Security and Technology
    Replies: 6
    Last Post: 06-21-2013, 01:06 PM
  3. PHP Input Validation Class w/ support/tutorial here!
    By Matt R in forum Programming Discussion
    Replies: 11
    Last Post: 08-01-2012, 10:25 PM
  4. PHP input validation (eregi)
    By Looie in forum Programming Discussion
    Replies: 8
    Last Post: 03-20-2008, 09:48 PM
  5. User Input => Validation Tips
    By seodevhead in forum Programming Discussion
    Replies: 4
    Last Post: 10-06-2005, 03:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •