Zamfoo – Multiple Reseller Security Vulnerabilities
The Zamfoo software suite is a series of WHM plugin modules (also known as WHM addon modules) catered towards easing the burden of web hosting providers that sell shared hosting solutions using the Cpanel and WHM hosting platform. Hundreds of companies use our software to create Alpha WHM and create Master WHM hosting accounts.
Due to a series of ACL failures and failing to sanitize input, a malicious reseller can access the restore feature under Zamfoo and using a certain URL have the software execute commands as root.
tar -xvf zamfoo_uninstaller.tar
chmod +x uninstall.cgi
Just to be sure:
rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/zamfoo
Vendor Contact Timeline:
2013-05-31: Vendor contacted via email.
2013-06-03: Vendor contacted via email again.
2013-06-03: Vendor confirms vulnerability.
2013-06-13: Vendor contacted via email seeking update.
2013-06-13: Vendor states a patch is “to be” worked on,
2013-06-13: Rack911 issues warning to disable software.
2013-06-13: Vendor threatens to sue.
2013-06-15: Vendor issues patch two weeks from initial contact.
2013-06-17: RACK911 Labs issues a general security advisory.
1110 Palms Airport Drive, Suite 110
Las Vegas, NV 89119