Title: WMH AutoPilot: Unauthorized hosting account cancellation request Access: Remote Product: WHM AutoPilot (http://www.whmautopilot.com) Severity: Moderately Low Synopsis: A vulnerability has been identified that allows the unauthorized filing of hosting account cancellation requests. Vulnerable: WHM AutoPilot <= 2.5.20 Unaffected: None Background: WHM AutoPilot is a software meant to alleviate the troubles associated with running a webhosting business, by offering automated integration with the popular cPanel WHM and automated invoice generation and billing. Description: A vulnerability leading to unauthorized cancellation requests has been found. The "c" GET variable sent to /cancel_account.php is not verified to ensure that the currently logged in user owns the account specified by the base 64 encoded integer value (the ID of the hosting account one wishes to cancel). Impact: An attacker with an account in a WHMAP installation could file cancellation requests for hosting accounts that do not belong to the attacker's account. In the worst case these cancellation requests would be processed by the authority running WHMAP, and the targeted hosting accounts would be cancelled. Workaround: There is no known workaround at this time. Resolution: All WHMAP users should find an alternative software to use for managing their webhosting business. The consistent identification and 0-day disclosure of vulnerabilities such as this and far worse only make systems running the software viable targets for attack. A software package designed with security in mind, by a developer with a track record including development related jobs, would suffice. Discovered: November 16, 2005 Vendor Notified: November 17, 2005 Public Release: November 17, 2005 Notes for Vendors: You'd all do well to stop lying. The fact that you've read this disclosure and applied a patch without notifying your customer base does not mean that your software is suddenly more secure. The problem is fundamental. The author is your enigma, and your customers' aide. WHM AutoPilot 3.0 has been privately released. The author has acquired a copy, and disclosed thirteen immediately apparent vulnerabilities to a private security mailing list. If in a major release (and as noted on the homepage, a complete rewrite of the software), the mistakes repeated thus far cannot be resolved, then your customer base must be informed of the consequences of running your software, and for their own sakes seek out a better alternative. Author: The author of this disclosure is and has been a security developer and software engineer for a number of years, with a strong interest in low-level systems and embedded applications development. She has a great dislike for makeshift software, especially that which is developed by people who deem themselves experts of the industries on their homepages. Greets: Yo, team. -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/