• Welcome to Web Hosting Community Forum for Webmasters - Web hosting Forum.
 

Recommended Providers

Fully Managed WordPress Hosting
lc_banner_leadgen_3
Fully Managed WordPress Hosting

WordPress Theme

Divi WordPress Theme
WPZOOM

Forum Membership

Forum Membership

RVSkin - Privilege Escalation Vulnerability

Started by Kailash, June 25, 2013, 10:38:55 AM

Kailash

QuoteType: Privilege Escalation
Impact: Medium
Product: RVSkin
Website: http://www.rvskin.com
Vulnerable Version: v10.77
Fixed Version: v10.78
CVE: -
Date: 2013-06-24
Reported By: http://www.rack911.com

Product Description:

RVSkin is an advance skin to use in web server control panel. A skin software provides multi-language, multi-theme, and many intelligent features to bring your unique interface differentiates your business.

Vulnerability Description:


There is a privilege escalation present in RVSkin due to incorrect environment handling within the rvwrapper binary that allows an attacker to modify other cPanel accounts. This flaw is allowed to exist because rvwrapper is SUID to securervskin which can read the root WHM access key.

Proof of Concept:

Due to the nature of this vulnerability we will not be disclosing the exploit until a later date.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that users can make unauthorized changes to other cPanel accounts.

Vulnerable Version:

This vulnerability was tested against RVSkin v10.77 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in RVSkin v10.78.

This vulnerability was reported by Rack911