The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR 2014-0002 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, Feb 14, 2014.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    cPanel TSR 2014-0002 Full Disclosure

    Case 89985

    Summary

    Disclosure of cpanel-horde's MySQL password due to world-readable backups.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    During the upgrade to Horde 5 on 11.42 systems, a backup tarball of the existing Horde configuration files is created. This backup tarball was created in a world-accessible directory with world-readable permissions, allowing local accounts to see the MySQL password for the shared cpanel-horde user.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.42.0.6

    For the PGP-signed message, see cpanel.net/wp-content/uploads/2014/02/TSR-2014-0002-Full-Disclosure.txt .
     
Loading...

Share This Page