cPanel 11.24.7-BETA_35691 - resellers can create root owned accounts



DESCRIPTION


When a reseller creates an account, the new account is owned by that reseller. There existed a flaw where, if a reseller created multiple accounts in rapid succession, 1 or more of those accounts would be owned by the root reseller, and not the actual reseller who created the account. This was tested by issuing 3 requests to /scripts5/wwwacct from within 3 separate tabs of a browser, with each request being made about 1 second apart. It did not work if the requests were made near simultaneously. You had to wait about 1 second before making the next. This worked about 50% of the time.



IMPACT


A reseller who created an account which is not associated with their own reseller account was able to effectively create a backdoor for accessing the server in the future. I don't remember what the logs looked like when this happened (/usr/local/cpanel/logs/{access_log,error_log} and /var/cpanel/accounting.log). I *think* the access_log showed that the user on the account creation line was "root". I do remember seeing that for a bug I was working on around this time.