A vulnerability has been discovered in cPanel’s WebHost Manager reseller control panel, which could be exploited to allow malicious users to run some commands as root (superuser).

The exploit affects a feature in WebHost Manager through which resellers can let their users retrieve lost or forgotten passwords via email. The setting, found in WebHost Manager in the “Tweak Settings” section, “is built into all compiled cPanel binaries and as such can not be patched,” according to an advisory on the BugTraq mailing list, which includes instructions on addressing the vulnerability.

cPanel is found on about 1.4 million hostnames worldwide. The software is widely used by many large hosting companies, especially those offering dedicated servers. Its user-friendly interface automates many elements of web site management for resellers and customers. The issue affects versions up to 9.1.0 build 34. All builds released after that have been fixed.