The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2015-0004 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, Jul 22, 2015.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2015-0004 Full Disclosure

    SEC-25

    Summary

    Feature requirements not enforced correctly by adminbins.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

    Description

    Several adminbin scripts did not properly verify the features enabled for the cPanel account running the adminbin script. This allowed cPanel users to perform some configuration functions that were disabled for the account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.50.0.27
    11.48.4.6
    11.46.3.8

    SEC-35

    Summary

    Arbitrary file overwrite via cpbackup-exclude.conf lock file.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

    Description

    The cPanel & WHM account backup system allows users to exclude files from backups by placing a file named cpbackup-exclude.conf in the user's home directory. During backup operations, this file was locked, opened, and read by root. An attacker could leverage this behavior to overwrite arbitrary files on the system.

    Credits

    This issue was discovered by RACK911Labs.com.

    Solution

    This issue is resolved in the following builds:
    11.50.0.27
    11.48.4.6
    11.46.3.8

    SEC-36

    Summary

    Arbitrary code execution via relative RPATH in PostgreSQL binaries.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

    Description

    The incorrect LDFLAGS were passed to the PostgreSQL build process. This resulted in an invalid RPATH being added to the PostgreSQL shared objects and binaries used by cPanel & WHM. An attacker could use this flaw to execute arbitrary code if the binaries or libraries were loaded inside of the attacker's home directory.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.50.0.27
    11.48.4.6
    11.46.3.8

    SEC-37

    Summary

    Disclosure of files owned by nobody.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The cPanel & WHM account backup system records a list of files inside the user's home directory that are owned by the 'nobody' user. The list was generated while running with root privileges. This behavior allowed an attacker to discover the locations of files owned by the 'nobody' user inside paths the attacker could not traverse.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.50.0.27
    11.48.4.6
    11.46.3.8

    SEC-38

    Summary

    Arbitrary file overwrite via passwordforce lock file.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

    Description

    The forcepasswordchange WHM API call locks, reads, and writes the 'passwordforce' file inside a user's home directory. These operations were performed with root privileges, which allowed an attacker to overwrite arbitrary files on the system.

    Credits

    This issue was discovered by RACK911Labs.com.

    Solution

    This issue is resolved in the following builds:
    11.50.0.27
    11.48.4.6
    11.46.3.8

    SEC-39

    Summary

    Arbitrary file append by updating an account's password.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

    Description

    When updating an account's password, the .my.cnf file in a user's home directory will be updated with the accounts new password. The modification of the .my.cnf file was being performed with root privileges, which allowed an attacker to append this data to other sensitive files on the system.

    Credits

    This issue was discovered by RACK911Labs.com.

    Solution

    This issue is resolved in the following builds:
    11.50.0.27
    11.48.4.6
    11.46.3.8

    SEC-42

    Summary

    Email sending limits not enforced in jailshell.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)

    Description

    The email limits for an account are tracked using file in the /var/cpanel/email_send_limits directory. Inside a jailshell environment this directory was mounted read-only, preventing EXIM from enforcing the configured mail rate limits.

    Credits

    This issue was discovered by Matt Sheldon.

    Solution

    This issue is resolved in the following builds:
    11.50.0.27
    11.48.4.6
    11.46.3.8

    SEC-43

    Summary

    ModSecurity rules not enforced on default virtualhost.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

    Description

    ModSecurity filtering is disabled for web traffic passed to the cPanel, WHM, and Webmail interfaces through proxydomains. The configuration directives used for this purpose incorrectly disabled ModSecurity filtering for all HTTP traffic directed at the server hostname or userdir URLs.

    Credits

    This issue was discovered by Alex Kwiecinski.

    Solution

    This issue is resolved in the following builds:
    11.50.0.27
    11.48.4.6
    11.46.3.8

    For the signed PGP version: http://news.cpanel.com/wp-content/uploads/2015/07/TSR-2015-0004-Disclosure.txt
     
Loading...

Share This Page