WebhostSecurity.com
ARTICLES
› Lessons Learned - Defense
› Lessons Learned - Offense
› Finding Bugs 1 - Softaculous
› Finding Bugs 2 - cPanel + Horde
› uid/gid Reuse Multi Vendor Issue
› Finding the WordPress 2.1.1 Backdoor
› Discovering Cdorked.A on cPanel
OFFENSE
› AtMail
› BFD
› cPanel
› CSF
› DirectAdmin
› Installatron
› Juniper
› Kloxo
› OSSEC
› Softaculous
› WHMEZLogin
› WHMReseller
DEFENSE
› STFN - Suspicious /tmp File Notifier
› ELM - Exim Log Monitor
› RFID - Remote File Inclusion Detector
› Twitter


cPanel 10.9.x - world readable /etc/cron.hourly/modsecparse.pl allows any local user to obtain the password to the modsec database


DESCRIPTION

modsecparse.pl is a utility that comes with the cPanel mod_security addon. Its purpose is to place the modsec logs from /usr/local/apache/logs/audit_log into the /var/lib/mysql/modsec database, then truncate the audit_log. It runs from cron, via /etc/cron.hourly. On older cPanel builds it was installed with permissions of 0755, allowing any local user to obtain the database credentials.


[user1@host ~]$ ls -l /etc/cron.hourly/modsecparse.pl
-rwxr-xr-x 1 root root 6118 Aug  3 01:38 /etc/cron.hourly/modsecparse.pl*
[user@host ~]$ egrep 'db(host|name|user|password)' /etc/cron.hourly/modsecparse.pl
my $dbhost     = 'localhost';
my $dbuser     = 'modsec';
my $dbpassword = 'nt4apSBCDypC';
my $dbname     = 'modsec';
[user@host ~]$ mysql -u modsec -pnt4apSBCDypC modsec -s
mysql>


IMPACT

Local users could access and manipulate the modsec database, resulting in a loss of integrity of the stored data.


WebhostSecurity.com © 2009 - 2017