cPanel TSR-2014-0008 Full Disclosure

cPanelCory

Release Manager - EasyApache
Staff member
Jan 18, 2008
69
5
133
Houston
cPanel Access Level
Root Administrator
TSR-2014-0008 Full Disclosure

Case 114917

Summary

Resellers could delete feature lists they did not own.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The check for ownership of a feature list was not functioning properly and allowed a reseller with limited ACLs to delete feature lists that they did not own.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.46.0.15
11.44.1.22
11.42.1.29

Case 115493

Summary

Multiple Self-XSS vulnerabilities due to Template Toolkit setlist filtering.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

When using a FILTER statement in conjunction with SET or DEFAULT statements in Template Toolkit templates, the statements are not evaluated in the correct order. This makes the FILTER statement ineffective, in many cases creating self-XSS vulnerabilities.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.46.0.15
11.44.1.22
11.42.1.29

Case 115833

Summary

Arbitrary code execution as root via chroothttpd.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The chroothttpd script was intended to run the Apache webserver in a chroot. It functions by creating directories in a non-reserved location within the /home directory. By creating a user with the name of one of these directories, a limited privilege reseller could affect the execution of chroothttpd and execute arbitrary code as the root user. This script is outdated and non-functional on current cPanel & WHM systems. It has been removed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.46.0.15
11.44.1.22
11.42.1.29

Case 118105

Summary

Anti-XSRF tokens disclosed during session based logins.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

When using session-based logins, the security token provided by the user was not sufficiently validated. This allowed logins using only information contained within the session cookie, bypassing the security token protections designed to mitigate browser cookie theft.

Credits

This issue was discovered by Aboutnet Support.

Solution

This issue is resolved in the following builds:
11.46.0.15
11.44.1.22
11.42.1.29

Case 127225

Summary

Arbitrary file chown via backupadmin userbackup.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The backupadmin script parsed the output of pkgacct to determine the filename of the generated backup tarball. This could be abused by cPanel accounts to chown arbitrary paths on the filesystem to the attacker's UID and GID.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.46.0.15
11.44.1.22
11.42.1.29

Case 132769

Summary

Arbitrary file read via ExampleModule_printfile API1 command.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

A cPanel user could use the ExampleModule_printfile Api1 call to read files outside of their home directory. This flaw could be used to bypass other restrictions on the cPanel account such as demo mode or jailshell.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.46.0.15
11.44.1.22
11.42.1.29

Multiple Cases (7)

Summary

Multiple XSS vulnerabilities in various interfaces.

Description

Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.

Case: 115757
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/stats/bwday.html, /frontend/x3/stats/bwday.html
Affected Releases: 11.46.0, 11.44.1, 11.42.1
Reporter: cPanel Security Team

Case: 115837
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/psql/addbs.html
Affected Releases: 11.46.0, 11.44.1
Reporter: cPanel Security Team

Case: 117153
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/doclonetheme
Affected Releases: 11.46.0, 11.44.1, 11.42.1
Reporter: cPanel Security Team

Case: 117673
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/subdomain/index.html, /frontend/paper_lantern/subdomain/index.html
Affected Releases: 11.46.0, 11.44.1, 11.42.1
Reporter: Vignesh Kumar

Case: 132617
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts2/dogencrt
Affected Releases: 11.46.0, 11.44.1, 11.42.1
Reporter: cPanel Security Team

Case: 132657
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts2/edit_sourceipcheck
Affected Releases: 11.46.0, 11.44.1, 11.42.1
Reporter: cPanel Security Team

Case: 133745
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts2/ftpconfiguration, /scripts/resproftpd
Affected Releases: 11.46.0
Reporter: RACK911Labs.com

cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

Credits

These issues were discovered by the respective reporters listed above.

Solution

These issues are resolved in the following builds:

11.46.0.15
11.44.1.22
11.42.1.29

For the PGP-signed message, see http://cpanel.net/wp-content/uploads/2014/11/TSR-2014-0008-Disclosure.txt.

If you would like to sign up for Security notices, please go to https://cpanel.net/mailing-lists.