Type: Symlink Attack Location: Local Impact: High Product: CloudFlare (cPanel Plugin) Website: http://www.cloudflare.com Vulnerable Version: 5.3.2 Fixed Version: 5.3.11 CVE: - R911: 0187 Date: 2016-01-15
Product Description:
CloudFlare protects and accelerates any website online. Once your website is a part of the CloudFlare community, its web traffic is routed through our intelligent global network. We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.
Vulnerability Description:
Due to a carefully timed symlink attack directed at the cloudflare_data.yaml file, it is possible for a malicious user to change the permissions on any root owned file to 600 which could lead to the OS being disabled.
Impact:
We have deemed this vulnerability to be rated as HIGH due to the fact that should the malicious user target certain system files, such as /etc/passwd, it could render the OS inoperable.
Vulnerable Version:
This vulnerability was tested against CloudFlare (cPanel Plugin) v5.3.2 and is believed to exist in all prior versions.
Fixed Version:
This vulnerability was patched CloudFlare (cPanel Plugin) v5.3.11.
Vendor Contact Timeline:
2016-01-13: Vendor contacted via HackerOne.
2016-01-13: Vendor confirms vulnerability.
2016-01-14: Vendor issues update.
2016-01-15: RACK911 Labs issues security advisory.
How to Check the Latest Version of Cloudflare cPanel Plugin on Server
cat /usr/local/cpanel/etc/cloudflare.json | grep version
To Update the Cloudflare version
/usr/local/cpanel/bin/cloudflare_update.sh force
Soure : RACK911 Labs
If you’re new to web hosting, the idea of moving your website from one provider to another might sound intimidating.…
WooCommerce powers over 5 million online stores, and its true potential comes alive with plugins that enhance functionality. The right…
When you first launch a WordPress website, it comes with a theme that controls how your site looks and feels.…
Introduction Prime Minister Narendra Modi’s clarion call — “Make in India, Make for the World” — is not just a…
Customer support has always been the backbone of the web hosting industry. From helping users set up domains to troubleshooting…