WHMReseller


# VER L/R AUTH S REPORTED TYPE DESCRIPTION
01 3.20 L N N 06/07/2008 permissions local users could obtain login/pass of any acct created by whmreseller
02 3.20 L Y N 07/04/2008 shell invocation resellers could execute commands as root
03 3.20 L Y N 07/04/2008 symlink resellers could view any file on the box
04 3.20 L N N 07/04/2008 design issue local users could obtain the password to the default "whmrback" acct
05 3.20 R N N 07/??/2008 design issue "whmrback" account predictable password
06 3.304 L N N 12/??/2008 permissions any local user could execute commands as root




Trivial very minor issues
Low XSS, info leaks
Medium destructive actions, access others' accounts
High local root (auth required), /root/.accesshash, /etc/shadow access
Less Critical local root (no auth required)
Critical remote root (no auth required)
L/R Local/Remote
Auth Authentication required
S Bug found via source code review