The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2014-0008 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, Nov 24, 2014.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    TSR-2014-0008 Full Disclosure

    Case 114917

    Summary

    Resellers could delete feature lists they did not own.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    The check for ownership of a feature list was not functioning properly and allowed a reseller with limited ACLs to delete feature lists that they did not own.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.46.0.15
    11.44.1.22
    11.42.1.29

    Case 115493

    Summary

    Multiple Self-XSS vulnerabilities due to Template Toolkit setlist filtering.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    When using a FILTER statement in conjunction with SET or DEFAULT statements in Template Toolkit templates, the statements are not evaluated in the correct order. This makes the FILTER statement ineffective, in many cases creating self-XSS vulnerabilities.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.46.0.15
    11.44.1.22
    11.42.1.29

    Case 115833

    Summary

    Arbitrary code execution as root via chroothttpd.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    The chroothttpd script was intended to run the Apache webserver in a chroot. It functions by creating directories in a non-reserved location within the /home directory. By creating a user with the name of one of these directories, a limited privilege reseller could affect the execution of chroothttpd and execute arbitrary code as the root user. This script is outdated and non-functional on current cPanel & WHM systems. It has been removed.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.46.0.15
    11.44.1.22
    11.42.1.29

    Case 118105

    Summary

    Anti-XSRF tokens disclosed during session based logins.

    Security Rating

    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description

    When using session-based logins, the security token provided by the user was not sufficiently validated. This allowed logins using only information contained within the session cookie, bypassing the security token protections designed to mitigate browser cookie theft.

    Credits

    This issue was discovered by Aboutnet Support.

    Solution

    This issue is resolved in the following builds:
    11.46.0.15
    11.44.1.22
    11.42.1.29

    Case 127225

    Summary

    Arbitrary file chown via backupadmin userbackup.

    Security Rating

    cPanel has assigned a Security Level of Important to this vulnerability.

    Description

    The backupadmin script parsed the output of pkgacct to determine the filename of the generated backup tarball. This could be abused by cPanel accounts to chown arbitrary paths on the filesystem to the attacker's UID and GID.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.46.0.15
    11.44.1.22
    11.42.1.29

    Case 132769

    Summary

    Arbitrary file read via ExampleModule_printfile API1 command.

    Security Rating

    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description

    A cPanel user could use the ExampleModule_printfile Api1 call to read files outside of their home directory. This flaw could be used to bypass other restrictions on the cPanel account such as demo mode or jailshell.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.46.0.15
    11.44.1.22
    11.42.1.29

    Multiple Cases (7)

    Summary

    Multiple XSS vulnerabilities in various interfaces.

    Description

    Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.

    Case: 115757
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/paper_lantern/stats/bwday.html, /frontend/x3/stats/bwday.html
    Affected Releases: 11.46.0, 11.44.1, 11.42.1
    Reporter: cPanel Security Team

    Case: 115837
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/psql/addbs.html
    Affected Releases: 11.46.0, 11.44.1
    Reporter: cPanel Security Team

    Case: 117153
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts/doclonetheme
    Affected Releases: 11.46.0, 11.44.1, 11.42.1
    Reporter: cPanel Security Team

    Case: 117673
    Security Rating: Minor
    XSS Type: Self
    Interface: cPanel
    URLs: /frontend/x3/subdomain/index.html, /frontend/paper_lantern/subdomain/index.html
    Affected Releases: 11.46.0, 11.44.1, 11.42.1
    Reporter: Vignesh Kumar

    Case: 132617
    Security Rating: Minor
    XSS Type: Self
    Interface: WHM
    URLs: /scripts2/dogencrt
    Affected Releases: 11.46.0, 11.44.1, 11.42.1
    Reporter: cPanel Security Team

    Case: 132657
    Security Rating: Moderate
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts2/edit_sourceipcheck
    Affected Releases: 11.46.0, 11.44.1, 11.42.1
    Reporter: cPanel Security Team

    Case: 133745
    Security Rating: Important
    XSS Type: Stored
    Interface: WHM
    URLs: /scripts2/ftpconfiguration, /scripts/resproftpd
    Affected Releases: 11.46.0
    Reporter: RACK911Labs.com

    cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

    Credits

    These issues were discovered by the respective reporters listed above.

    Solution

    These issues are resolved in the following builds:

    11.46.0.15
    11.44.1.22
    11.42.1.29

    For the PGP-signed message, see http://cpanel.net/wp-content/uploads/2014/11/TSR-2014-0008-Disclosure.txt.

    If you would like to sign up for Security notices, please go to https://cpanel.net/mailing-lists.
     
Loading...

Share This Page