The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2014-0004 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, May 26, 2014.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    TSR-2014-0004 Full Disclosure

    Case 78301

    Summary

    Correct patch for CVE-2002-1575 in cgiemail.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    cPanel & WHM includes a copy of Bruce Lewis' cgiemail version 1.6. This version of cgiemail was vulnerable to CVE-2002-1575, allowing remote unauthenticated attackers to send email using the cgiemail script to destination addresses of the attackers' choosing.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 92733

    Summary

    Session file name disclosure via SafeFile command line rewriting.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    The SafeFile functionality of cPanel provides for safe file locking and opening. When attempting to obtain a lock on a file, the executable name ($0) was set to include the target file name for debugging purposes. This exposed potentially sensitive session information.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 92745

    Summary

    Private SSH key passwords disclosed during key generation and import.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    The cPanel & WHM API1 and API2 calls that imported, generated, and converted SSH keys using the ssh-keygen binary supplied the password for the private key using command line arguments. This revealed the private password to other accounts on the system while ssh-keygen was executing.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 93017

    Summary

    Arbitrary Code Execution via WHM Thirdparty Service Calls.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    The WHM /scripts2/showservice and /scripts2/saveservice URLs took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, a malicious authenticated reseller could execute arbitrary code as root.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 93021

    Summary

    Arbitrary code execution via Cpanel::Thirdparty::serviceinfo API call.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    The Cpanel::Thirdparty::serviceinfo API1 call took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, an authenticated cPanel user could execute arbitrary code, potentially bypassing other restrictions placed on the account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 93269

    Summary

    Transfer CGI scripts allow downloads of a cPanel account.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The WHM 'Copy an Account From Another Server With an Account Password' functionality will first attempt to use XML-API calls to generate and download a backup of the remote account. Should this call fail, a fallback method using FTP and HTTP will be attempted. Under some circumstances, the CGI scripts utilized by this fallback method would remain installed on the account after the transfer was complete, potentially allowing remote attackers to download a copy of the transferred account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.1.16
    11.40.1.14

    Case 94077

    Summary

    Denial of service via Boxtrapper cgi-sys script.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    The Boxtrapper bxd.cgi script used to confirm an email for delivery did not properly validate the account parameter passed to it by the user. By injecting null values into this parameter, an unauthenticated attacker could trigger an infinite loop in the script, potentially exhausting server resources.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 95617

    Summary

    Arbitrary database access via cpmysqladmin ADDDBPRIVS command.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The cpmysqladmin 'ADDDBPRIVS' command allowed cPanel users to add read and write privileges to a database. Ownership of the specified database was not properly validated during this process, allowing the user to read and write any database on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.42.1.16
    11.40.1.14

    Case 96301

    Summary

    Arbitrary permissions change via fixsuexeccgiscripts script.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The fixsuexeccgiscripts script run during the nightly UPCP process on cPanel & WHM systems scanned Apache's suexec_log for indications of misconfigured CGI scripts. Scripts that generated errors were automatically set to 0755 permissions. The functionality that changed permissions on defective scripts performed insufficient validation of the targets, allowing a local attacker to set any file on the system to 0755 permissions.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 96381

    Summary

    Arbitrary file ownership change via chownpublichtmls script.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    The chownpublichtmls script is intended to correct the ownership on users' public_html directories. This script used an obsolete version of the safe_recchmod() function that was vulnerable to a race condition attack. This could allow a local attacker change the ownership of arbitrary files.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 96541

    Summary

    Arbitrary code execution as root via WHM "Check and Repair a Perl Script".

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The Check and Repair Perl Script functionality of WHM was vulnerable to a Time-of-check/Time-of-use attack. The UID this functionality would execute under was determined by a simple stat of the target file, followed by the execution of the script using "perl -c". A local attacker could leverage this flaw to execute arbitrary code as root when this interface was used on a script under the attacker's control.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 96697

    Summary

    Arbitrary permissions change via multiple scripts.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    Obsolete versions of several functions provided by the Cpanel::SafetyBits module were duplicated inside the safetybits.pl script and used in several command line scripts provided with cPanel & WHM. The obsolete versions of these functions allowed a local attacker to change the permissions on arbitrary files under some circumstances.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 97289

    Summary

    Bypass of local zone ownership restrictions via DNS clustering commands.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    The DNS clustering commands allow for DNS zones to be synced across a cluster. When a zone is owned by a local user, these commands restrict modification of the zone to the reseller account that owns the zone and reseller accounts with the "All" ACL. This functionality was subject to several flaws that allowed an authenticated attacker with the "Clustering" ACL to modify zones belonging to other resellers on the system.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 97293

    Summary

    Miscategorization of DNS Clustering ACL.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    The "Clustering" ACL in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the "Standard Privileges" grouping. This ACL should be listed under the "Super Privileges" grouping since the ACL is intended for sensitive DNS clustering configuration and synchronization operations that bypass many restrictions on DNS zone modifications.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 97737

    Summary

    Arbitrary YAML file read via Configure Customer Contact.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The WHM Configure Customer Contact interface allows a reseller to set contact information visible by their users. The YAML file containing this information is inside the reseller's home directory and was read with the effective UID of root. By manipulating this file, an authenticated reseller could read the contents of arbitrary YAML files on the system.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 97841

    Summary

    Mailman list password disclosed to local users during password change.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    Mailman's change_pw script takes the password as a command line argument. When changing a mailing list's password, the new password was leaked to other users logged into the system via command line arguments.

    Credits

    This issue was discovered by Rack911.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Case 98121

    Summary

    Miscategorization of Locales ACL.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    The "local-edit" ACL listed in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the "Global Privileges" grouping. This ACL should be listed under the "Super Privileges" grouping since the ACL allows the reseller to control the display of translations, including embedded HTML, in all cPanel & WHM interfaces.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.43.0.12
    11.42.1.16
    11.40.1.14

    Multiple Cases (35)

    Summary

    Multiple XSS vulnerabilities in various interfaces.

    Description

    Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.

    Case: 90761
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: cPanel
    URLs: /frontend/x3/ftp/accounts.html, /frontend/paper_lantern/ftp/accounts.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: Mateusz Goik

    Case: 93117
    Security Rating: Moderate
    XSS Type: Reflected
    Interface: cPanel
    URLs: /cgi-sys/guestbook.cgi
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 93141
    Security Rating: Moderate
    XSS Type: Reflected
    Interface: Entropy Chat
    URLs: /
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 93641
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: cPanel
    URLs: /frontend/paper_lantern/mail/auto_responder.tt, /frontend/x3/mail/auto_responder.tt
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 93965
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: cPanel
    URLs: /frontend/x3/filemanager/index.html, /frontend/paper_lantern/filemanager/index.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 93985
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/addoncgi/cpaddons.html, /frontend/paper_lantern/addoncgi/cpaddons.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 94081
    Security Rating: Moderate
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts4/listaccts
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: Rack911

    Case: 94741
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/mail/spam/addspamfilter.html, /frontend/paper_lantern/mail/spam/addspamfilter.html
    Affected Releases: 11.43.0, 11.42.1
    Reporter: cPanel Security Team

    Case: 94745
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/paper_lantern/mail/filters/delfilter.html, /frontend/x3/mail/filters/delfilter.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 94773
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/addon/index.html, /frontend/x3/denyip/index.html, /frontend/x3/ftp/accounts.html, /frontend/x3/mail/archive.html, /frontend/x3/mail/autores.html, /frontend/x3/mail/boxtrapper.html, /frontend/x3/mail/filters/managefilters.html, /frontend/x3/mail/fwds.html, /frontend/x3/mail/lists.html, /frontend/x3/park/index.html, /frontend/x3/psql/index.html, /frontend/x3/sql/index.html, /frontend/x3/subdomain/index.html, /frontend/paper_lantern/addon/index.html, /frontend/paper_lantern/denyip/index.html, /frontend/paper_lantern/ftp/accounts.html, /frontend/paper_lantern/mail/archive.html, /frontend/paper_lantern/mail/autores.html, /frontend/paper_lantern/mail/boxtrapper.html, /frontend/paper_lantern/mail/filters/managefilters.html, /frontend/paper_lantern/mail/fwds.html, /frontend/paper_lantern/mail/lists.html, /frontend/paper_lantern/park/index.html, /frontend/paper_lantern/psql/index.html, /frontend/paper_lantern/sql/index.html, /frontend/paper_lantern/subdomain/index.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 94793
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/mail/conf.html, /frontend/paper_lantern/mail/conf.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 94825
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/mail/dodelpop.html, /frontend/paper_lantern/mail/dodelpop.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 94929
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/paper_lantern/mime/addredirect.html
    Affected Releases: 11.43.0, 11.42.1
    Reporter: cPanel Security Team

    Case: 94937
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/paper_lantern/sql/wizard4.html, /frontend/x3/sql/wizard4.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 95577
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/denyip/delconfirm.html, /frontend/paper_lantern/denyip/delconfirm.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 95805
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/paper_lantern/ftp/dologoutftpconfirm.html, /frontend/x3/ftp/dologoutftpconfirm.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96017
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/paper_lantern/mime/delredirect.html, /frontend/x3/mime/delredirect.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96021
    Security Rating: Moderate
    XSS Type: Stored
    Interface: cPanel
    URLs: /frontend/x3/clamavconnector/scanner.html, /frontend/x3/clamavconnector/live_disinfect.html, /frontend/x3/clamavconnector/disinfect.html, /frontend/paper_lantern/clamavconnector/scanner.html, /frontend/paper_lantern/clamavconnector/live_disinfect.html, /frontend/paper_lantern/clamavconnector/disinfect.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96201
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts/doresetresellers
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96209
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts/domultikill
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96245
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: WHM
    URLs: /cgi/statmanager.cgi
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: Rack911

    Case: 96385
    Security Rating: Important
    XSS Type: Stored
    Interface: cPanel
    URLs: /frontend/x3/ftp/session.html, /frontend/paper_lantern/ftp/session.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: Rack911

    Case: 96485
    Security Rating: Moderate
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts5/showacctcopylog
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: Rack911

    Case: 96505
    Security Rating: Important
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts/rescart
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96509
    Security Rating: Moderate
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts/repairmysql
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96521
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts/doresmailman
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96525
    Security Rating: Moderate
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts2/convertmaildir
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96545
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts2/doeditzonetemplate
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 96637
    Security Rating: Moderate
    XSS Type: Stored
    Interface: WHM
    URLs: /cgi/trustclustermaster.cgi
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: Rack911

    Case: 96801
    Security Rating: Important
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts/doconfiguremailserver
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 99213
    Security Rating: Minor
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts5/setupremotemysqlhost
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 99309
    Security Rating: Moderate
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts2/editzonetemplate
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 99365
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: WHM
    URLs: /scripts5/copy_account_input
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 99377
    Security Rating: Minor
    XSS Type: Self-stored
    Interface: WHM
    URLs: /scripts5/remotemysqlhost
    Affected Releases: 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    Case: 99957
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/cgi/modify.html
    Affected Releases: 11.43.0, 11.42.1, 11.40.1
    Reporter: cPanel Security Team

    cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

    Credits

    These issues were discovered by the respective reporters listed above.

    Solution

    These issues are resolved in the following builds:

    11.43.0.12
    11.42.1.16
    11.40.1.14

    For the PGP-signed message, see http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-FullDisclosure.txt
     
Loading...

Share This Page