Title: WMH AutoPilot: Unauthorized hosting account cancellation request
Access: Remote
Product: WHM AutoPilot (http://www.whmautopilot.com)
Severity: Moderately Low

Synopsis:
A vulnerability has been identified that allows the unauthorized filing
of hosting account cancellation requests.

Vulnerable: WHM AutoPilot <= 2.5.20
Unaffected: None

Background:
WHM AutoPilot is a software meant to alleviate the troubles associated with
running a webhosting business, by offering automated integration with the
popular cPanel WHM and automated invoice generation and billing.

Description:
A vulnerability leading to unauthorized cancellation requests has been found.
The "c" GET variable sent to /cancel_account.php is not verified to ensure that
the currently logged in user owns the account specified by the base 64 encoded
integer value (the ID of the hosting account one wishes to cancel).

Impact:
An attacker with an account in a WHMAP installation could file cancellation
requests for hosting accounts that do not belong to the attacker's account.
In the worst case these cancellation requests would be processed by the
authority running WHMAP, and the targeted hosting accounts would be cancelled.

Workaround:
There is no known workaround at this time.

Resolution:
All WHMAP users should find an alternative software to use for managing their
webhosting business. The consistent identification and 0-day disclosure of
vulnerabilities such as this and far worse only make systems running the
software viable targets for attack. A software package designed with security
in mind, by a developer with a track record including development related
jobs, would suffice.

Discovered: November 16, 2005
Vendor Notified: November 17, 2005
Public Release: November 17, 2005

Notes for Vendors:
You'd all do well to stop lying. The fact that you've read this disclosure
and applied a patch without notifying your customer base does not mean that
your software is suddenly more secure. The problem is fundamental. The
author is your enigma, and your customers' aide.

WHM AutoPilot 3.0 has been privately released. The author has acquired a
copy, and disclosed thirteen immediately apparent vulnerabilities to a
private security mailing list. If in a major release (and as noted on the
homepage, a complete rewrite of the software), the mistakes repeated thus
far cannot be resolved, then your customer base must be informed of the
consequences of running your software, and for their own sakes seek out a
better alternative.

Author:
The author of this disclosure is and has been a security developer and
software engineer for a number of years, with a strong interest in low-level
systems and embedded applications development. She has a great dislike for
makeshift software, especially that which is developed by people who deem
themselves experts of the industries on their homepages.

Greets:
Yo, team.


--