Security Advisory for CVE-2017-6513
CVE ID: CVE-2017-6513: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6513
- 2017-03-06 01:00 CET: Sebastian discovered the vulnerability while using the software provided by IP Interactive UG. He tried to estimate the consequences of this issue.
- 2017-03-06 02:00 CET: Sebastian contacted IP Interactive UG, because he thought it's an issue in their specific installation.
- 2017-03-06 before 14:15 CET: IP Interactive UG contacted Softaculous and received a patch for this issue. He reported this to Sebastian and the issue could not be reproduced anymore.
- 2017-03-06 14:20 CET: During a discussion with Julian we found out that this issue needs a CVE-ID and a public announcement. Sebastian tried to gather information. He asked IP Interactive UG and tried to install the software locally.
- 2017-03-06 17:00 CET: First contact with Softaculous
- 2017-03-06 18:45 CET: Sebastian requested an CVE-ID. He received the CVE-ID CVE-2017-6513 at 20:30.
- 2017-03-08 12:00 CET: First response from Softaculous. They confirmed the issue.
- Sebastian is polling for more information the next days.
- They confirmed publishing a CVE but asked for waiting until the cause of the issue get fixed.
- They helped filling out the CVE by requesting changes to the draft.
- 2017-03-10 16:30 CET: Softaculous granted a bounty of $100.
- 2017-03-10: Softaculous release an updated version of WHMCS Module for Resellers V2.
- 2017-04-11: Sebastian published the CVE and the security advisory.
The WHMCS Reseller Module V2 2.0.2 for Softaculous Virtualizor does not verify the API calls correctly, which allows remote authenticated allows users to gain access of other users VPS who are under the same reseller by accessing a modified URL.
Incorrect Access Control
(Note: This is only possible in WHMCS Reseller Module, not the normal WHMCS Module)
When the [WHMCS v2 Reseller] module loads the enduser panel in WHMCS after VPS is provisioned, at that time we [Virtualizor] load it using API calls. For example we load the panel in an iframe using following URL :
src = clientsservices.php?vapi_mode=1&userid=USERID&id=ORDERID&give=index.html#act=vpsmanage
The above URL is responsible to get the enduser panel for that VPS for that user logged in. So user are allowed to access only vpsmanage wizard.
Now when you try to access the above URL in new tab as follows :
WHMCS_URL/admin/clientsservices.php?vapi_mode=1&userid=USERID&id=ORDERID&give=index.html
It was showing the listvs page, which was causing the issue. So that users were able to access the VPS of other users as well and perform actions to their VPS.
The management interface for users includes the iframe
The list of all VPS Instances of a reseller
You can now edit (e.g. root password) or delete other VPS instances of the same reseller.
Update to the latest version of WHMCS Module for Resellers V2: http://virtualizor.com/wiki/WHMCS_Module_for_Resellers_V2#Download
There also was a temporary patch for enduser.php in Virtualizor to avoid this issue. But you should upgrade the WHMCS Module for Resellers V2 anyway, because this temporary quick fix will be removed.
This was not the bug in Virtualizor but to prevent this we released the quick fix so that who have not updated the module should not face the issue.
User who have set the preference as auto update for stable, new version will be updated automatically. They will get an email notification for the new version available. We also post on our blog and forum to let users know about the new version released. Blog : http://www.virtualizor.com/blog
Remote
true
- http://www.virtualizor.com/
- http://www.virtualizor.com/wiki/WHMCS_Module_for_Resellers_V2
- http://www.virtualizor.com/blog/?p=1551
8.7
- Oliver Dzombic (IP Interactive UG): He helped to find the cause of the issue and directed me to Softaculous
- Julian Neureuther: He supported me during the CVE process
Thanks to mitre, osvdb, RedHat, Debian, nvd and many more for providing documentation and infrastructure to fill out such security advisories.