The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR 2014-0003 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, Mar 31, 2014.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    cPanel TSR 2014-0003 Full Disclosure

    Case 85329

    Summary

    Sensitive information disclosed via multiple log files.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    Several log files on cPanel & WHM systems were created with default world-readable permissions. These log files include both sensitive internal data such as stack traces and less sensitive information about the existence of other accounts and domains on the system.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 86337

    Summary

    Injection of arbitrary DNS zonefile contents via cPanel DNS zone editors.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The cPanel interface provides restricted interfaces for modifying aspects of the DNS zones that belong to a cPanel account. A malicious cPanel account could use crafted inputs to the simple and advanced DNS zone editor interfaces to rewrite parts of the zone files that they are normally restricted from editing. With some inputs, this could disclose the contents of sensitive files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 86465

    Summary

    Insufficient ACL checks in WHM Modify Account interface.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    Within WHM's "Modify Account" interface and associated xml-api commands, several settings for cPanel accounts could be altered with the "edit-account" reseller ACL rather than the more restrictive "all" ACL that is required in the dedicated interfaces for these settings. In particular, an account could be switched between the new and legacy backup systems, which should only be permissible by the root user.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 87205

    Summary

    Open redirect vulnerability in FormMail-clone.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    cPanel & WHM servers include a clone of the classic FormMail.pl script. This clone includes the ability to redirect the browser after successful form submission to a URL included in the browser supplied parameters. These redirects are now restricted to HTTP and HTTPS locations that are on the server.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 87873

    Summary

    Multiple format string vulnerabilities in Cpanel::API::Fileman.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    Error messages in Cpanel::API::Fileman were being generated using Locale::Maketext::maketext(). These errors were then added to a Cpanel::Result object using the error() method, which also performs maketext() interpolation on its inputs. With carefully crafted inputs, an authenticated attacker could utilize these format string flaws to execute arbitrary code using maketext() bracket notation.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13

    Case 88577

    Summary

    Arbitrary file overwrite via trackupload parameter.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The trackupload functionality in cPanel & WHM's default POST parameter and QUERY_STRING processor module allows a log file to be written and queried while a file upload is occurring. In some contexts, an authenticated attacker could make cpsrvd create the trackupload log file inside the user's home directory while running with the effective UID of root. By combining this with a symlinked trackupload log file target, any file on the system could be overwritten.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 88793

    Summary

    External XML entity injection in WHM locale upload interface.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The XML parser used by WHM for XLIFF and dumper-format XML locale file uploads allowed the processing of external XML entities. This would permit resellers with the 'locale-edit' ACL to reference arbitrary files on the system as external entities in an XLIFF translation upload and retrieve the target file by downloading the translation. All external XML entity processing in the translation system handling of XML files, is now disabled.

    Credits

    This issue was discovered by Prajith from NdimensionZ Solutions Pvt Ltd

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 88961

    Summary

    Arbitrary code execution for ACL limited resellers via WHM Activate Remote Nameservers interface.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    Resellers with the 'clustering' ACL could send crafted parameters with newlines to the WHM /cgi/activate_remote_nameservers.cgi script and inject unsanitized values in the DNS clustering credential storage system. These unsanitized parameters could include code injections that would run with root's effective UID or parameters intended to disclose root's accesshash credentials to systems under the reseller's control.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 89377

    Summary

    Arbitrary code execution for ACL limited resellers via WHM objcache.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    A flaw in the hostname input sanitization of WHM's objcache functionality could be used by malicious resellers with limited ACLs to download Template Toolkit code of their choosing into the WHM objcache storage system. The malicious Template Toolkit code would subsequently execute with EUID 0 during the processing of WHM News.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 89733

    Summary

    Injection of arbitrary data into cpuser configuration files via wwwacct.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The WHM /scripts5/wwwacct interface allowed arbitrary values to be set for the 'owner' parameter during new account creation by resellers with the 'create-acct' ACL. By supplying values with newlines, resellers could control all fields in the newly created account's cpuser configuration file.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 89789

    Summary

    Arbitrary code execution for ACL limited resellers via batch API.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The WHM XML-API allows for multiple commands to be combined into one call via the 'batch' command. Some aspects of the execution environment for one command in a batch persisted in the execution of subsequent commands. By leveraging failures of a proceeding command, a malicious authenticated reseller could execute arbitrary code as the root user in subsequent commands in the batch.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 90001

    Summary

    Sensitive information disclosed via update-analysis tarballs.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The cPanel & WHM update-analysis system aggregates log files and system settings into a tarball that is sent to cPanel's log processing servers. This opt-in service allows cPanel to detect trends in the errors that cPanel & WHM systems encounter. The tarballs generated by the update-analysis system are retained on the local file system, with 0644 permissions, inside a world-accessible directory and include copies of several sensitive log files. This allowed local users to view the sensitive data contained inside.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 90265

    Summary

    Open mail relay via injection of FormMail-clone parameters.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    cPanel & WHM servers include a clone of the classic FormMail.pl script. Incorrect filtering of the 'subject' parameter supplied to this script allowed arbitrary mail headers to be injected into the email message. This flaw bypassed any recipient restrictions and allowed FormMail-clone to be used as an open mail relay.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 91741

    Summary

    Arbitrary code execution via backup excludes.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    Entries in a user's cpbackup-exclude.conf file are evaluated in an unsafe manner during the nightly account backup process. By carefully crafting these entries, a malicious local account could execute arbitrary code as the root user during nightly backups under some circumstances.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 92449

    Summary

    User .my.cnf files set to world readable during upcp.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The script '/scripts/fixmysqlpasswordopt' is run one time by upcp during an upgrade from cPanel & WHM version 11.38 to version 11.40. This script was intended to convert user's .my.cnf files to use formatting required with MySQL5.5. During the conversion, the permissions on some user's .my.cnf files could be changed to world-readable. In combination with other common attacks, this could disclose the user's MySQL password to other accounts on the system.

    Credits

    This issue was discovered by Curtis Wood.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13

    Case 92489

    Summary

    SSH private key disclosure during key import process.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    When the 'extract_public' option is specified to the 'importsshkey' WHM XML-API call, the provided private key was written to a world-readable temporary file. This allowed any user on the system to read the uploaded key.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Case 94201

    Summary

    Insufficient validation allows password reset of arbitrary users.

    Security Rating

    cPanel has assigned a Security Level of Critical to this vulnerability.

    Description

    cPanel & WHM systems contain optional functionality that allows cPanel accounts to reset their passwords from the cPanel login screen. When a user requests a password reset in this fashion, an email is sent to the user's configured email address. The user must then navigate to a URL provided in the email to perform the password reset. A flaw in the validation of the 'user' parameter to the password reset interface allowed unauthenticated remote attackers to reset an account's password and cause the reset email to be delivered to an email address of the attacker's choosing.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.0.23
    11.40.1.13
    11.38.2.23

    Multiple Cases (30)

    Summary

    Multiple XSS vulnerabilities in various interfaces.

    Description

    Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.

    Case: 88465
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts9/upload_locale
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Ernesto Martin

    Case: 88469
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: WHM
    URLs: /scripts/backupconfig
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Ernesto Martin

    Case: 88473
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /fetchsystembranding, /fetchglobalbranding, /fetchyoursbranding
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Ernesto Martin

    Case: 90213
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts/passwdmysql
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 90225
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /cgi/CloudLinux.cgi
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 90249
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /cgi/live_restart_xferlog_tail.cgi
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 90257
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts/dorootmail
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 90261
    Security Rating: Important
    XSS Type: Stored
    Interface: WHM
    URLs: /cgi/sshcheck.cgi
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 90289
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /cgi/zoneeditor.cgi
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 90753
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/mail/delegatelist.html, /frontend/paper_lantern/mail/delegatelist.html
    Affected Releases: 11.42.0, 11.40.1
    Reporter: Mateusz Goik

    Case: 90765
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: cPanel
    URLs: /frontend/x3/mime/hotlink.html, /frontend/paper_lantern/mime/hotlink.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Mateusz Goik

    Case: 90769
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: cPanel
    URLs: /frontend/x3/webdav/accounts_webdav.html, /frontend/paper_lantern/webdav/accounts_webdav.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Mateusz Goik

    Case: 90781
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: cPanel
    URLs: /frontend/x3/mime/redirect.html, /frontend/paper_lantern/mime/redirect.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Mateusz Goik

    Case: 90817
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/filemanager/listfmfiles.json, /frontend/paper_lantern/filemanager/listfmfiles.json
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Mateusz Goik

    Case: 90969
    Security Rating: Important
    XSS Type: Stored
    Interface: WHM
    URLs: /cgi/cpaddons_report.pl
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Rack911

    Case: 91457
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/test.php, /frontend/paper_lantern/test.php
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 91461
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/cgi/doupload.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 91633
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /fetchemailarchive
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 91677
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: cPanel
    URLs: /frontend/x3/cpanelpro/filelist-scale.html, /frontend/paper_lantern/cpanelpro/filelist-scale.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 91681
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: cPanel
    URLs: /frontend/x3/cpanelpro/filelist-thumbs.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 91717
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/paper_lantern/cpanelpro/changestatus.html, /frontend/paper_lantern/cpanelpro/editmsgs.html, /frontend/paper_lantern/cpanelpro/msgaction.html, /frontend/paper_lantern/cpanelpro/saveconf.html, /frontend/paper_lantern/mail/changestatus.html, /frontend/paper_lantern/mail/conf.html, /frontend/paper_lantern/mail/editlists.html, /frontend/paper_lantern/mail/editmsg.html, /frontend/paper_lantern/mail/manage.html, /frontend/paper_lantern/mail/queuesearch.htm, /frontend/paper_lantern/mail/resetmsg.html(acount), /frontend/paper_lantern/mail/saveconf.html, /frontend/paper_lantern/mail/showlog.html, /frontend/paper_lantern/mail/showmsg.htm, /frontend/paper_lantern/mail/showq.html, /frontend/x3/cpanelpro/changestatus.html, /frontend/x3/cpanelpro/editlists.html, /frontend/x3/cpanelpro/editmsgs.html, /frontend/x3/cpanelpro/msgaction.html, /frontend/x3/cpanelpro/saveconf.html, /frontend/x3/mail/changestatus.html, /frontend/x3/mail/conf.html, /frontend/x3/mail/editlists.html, /frontend/x3/mail/editmsg.html, /frontend/x3/mail/manage.html, /frontend/x3/mail/queuesearch.html, /frontend/x3/mail/resetmsg.html, /frontend/x3/mail/saveconf.html, /frontend/x3/mail/showlog.html, /frontend/x3/mail/showmsg.html, /frontend/x3/mail/showq.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 91973
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/cpanelpro/doscale.html, /frontend/paper_lantern/cpanelpro/doscale.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 91977
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/cpanelpro/doconvert.html, /frontend/paper_lantern/cpanelpro/doconvert.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 91981
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/cpanelpro/dothumbdir.html, /frontend/paper_lantern/cpanelpro/dothumbdir.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 92133
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/telnet/keys/dodelpkey.html, /frontend/paper_lantern/telnet/keys/dodelpkey.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 92157
    Security Rating: Important
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts/installfp, /scripts/uninstallfp
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 92421
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/mail/ajax_mail_settings.html, /frontend/paper_lantern/mail/ajax_mail_settings.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 92593
    Security Rating: Moderate
    XSS Type: Reflected
    Interface: cPanel
    URLs: /cgi-sys/entropysearch.cgi
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    Case: 92829
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /cgi-sys/defaultwebpage.cgi
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: Shahee Mirza

    Case: 93089
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/mime/delredirectconfirm.html
    Affected Releases: 11.42.0, 11.40.1, 11.38.2
    Reporter: cPanel Security Team

    cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

    Credits

    These issues were discovered by the respective reporters listed above.

    Solution

    These issues are resolved in the following builds:

    11.42.0.23
    11.40.1.13
    11.38.2.23

    For the PGP signed message, please go to: http://cpanel.net/wp-content/uploads/2014/03/TSR-2014-0003-Full-Disclosure1.txt
     
Loading...

Share This Page