Vulnerability

Affected software: CloudLinux phpselector for DirectAdmin, unknown version (old vulnerability from around 2017, I no longer have original report)

CloudLinux CageFS can be bypassed by inserting commands to execute in phpselector input names.

Phpselector includes /usr/local/directadmin/plugins/new_lvemanager/admin/phpselector/Selector.class.php, which contains the following line:

$result = self::CommandExecute('/usr/bin/selectorctl -i php -r '.$ExtList.' -u '.$this->UserName.' -v '.$version.' 2>&1',true,true);

$ExtList variable can be manipulated by changing input names in phpselector extensions editor. It can be achieved using browser developer tools, just inspect checkbox for any extension and edit input name like this:

<input name="cbx_zip; ;ls -l /home; exit 1;" title="This extension lets reading compressed ZIP archives and writing into them easily" type="checkbox" checked="checked">

After saving extensions configuration, command result will be displayed in a popup:

Solution

Update phpselector to unaffected version.

Timeline

Unknown (old vulnerability from around 2017, I no longer have original report, it was fixed around 2017).