Virtualizor - CSRF (Add Admin) Vulnerability -------------------------------------------------------------------------------- Quote: Type: CSRF (Add Admin) Impact: High Product: Virtualizor Website: virtualizor/ Vulnerable Version: 2.2.9 Fixed Version: 2.3.0 CVE: - Date: 2013-06-19 Product Description: Virualizor is a powerful web based VPS Control Panel. It supports OpenVZ, Xen PV, Xen HVM and Linux KVM virtualization. Admins can create a VPS on the fly by the click of a button VPS users can start, stop, restart and manage their VPS using a very advanced web based GUI. Vulnerability Description: A CSRF (Cross Site Request Forgery) exists in the default settings of Virtualizor that would allow an attacker to create a new administrator account should a legitimate administrator view a website containing the malicious code. Proof of Concept: Due to the nature of this vulnerability, we will not be releasing a POC until a much later date after everyone has updated. Impact: We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user would be able to obtain administrative access. Vulnerable Version: This vulnerability was tested against Virtualizor v2.2.9. Fixed Version: This vulnerability was fixed in Virtualizor v2.3.0. Vendor Contact Timeline: 2013-05-21: Vendor contacted via email. 2013-05-22: Vendor confirms vulnerability. 2013-06-13: Vendor issues 2.3.0 update. 2013-06-19: Rack911 issues security advisory.
Posted on: Thu, 20 Jun 2013 02:04:27 +0000
Trending Topics
Recently Viewed Topics
© 2015