The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2014-0006 Full Disclosure

Discussion in 'cPanel Announcements' started by jdlightsey, Aug 11, 2014.

  1. jdlightsey

    jdlightsey Perl Developer III
    Staff Member

    Joined:
    Mar 6, 2007
    Messages:
    126
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston Texas
    cPanel Access Level:
    Root Administrator
    Case 108965

    Summary

    Bypass of account suspension via mod_userdir.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    The fix for case 101677 in TSR-2014-0005 introduced a regression in account suspensions that allowed the web content of a suspended account to be viewed normally via Apache userdir style URLs. This has been corrected so that both NameVirtualHost and userdir access to the suspended account's web content is blocked.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.44.1.11
    11.42.1.25
    11.40.1.20

    For the PGP-signed message, see: http://cpanel.net/wp-content/uploads/2014/08/TSR-2014-0006-Full-Disclosure.txt
     
Loading...

Share This Page