Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR 2014-0002 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, Feb 14, 2014.

  1. cPanelCory

    cPanelCory Release Manager - EasyApache
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    133
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    cPanel TSR 2014-0002 Full Disclosure

    Case 89985

    Summary

    Disclosure of cpanel-horde's MySQL password due to world-readable backups.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    During the upgrade to Horde 5 on 11.42 systems, a backup tarball of the existing Horde configuration files is created. This backup tarball was created in a world-accessible directory with world-readable permissions, allowing local accounts to see the MySQL password for the shared cpanel-horde user.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.42.0.6

    For the PGP-signed message, see cpanel.net/wp-content/uploads/2014/02/TSR-2014-0002-Full-Disclosure.txt .
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice