cPanel TSR-2015-0004 Full Disclosure

cPanelCory

Release Manager - EasyApache
Staff member
Jan 18, 2008
69
5
133
Houston
cPanel Access Level
Root Administrator
cPanel TSR-2015-0004 Full Disclosure

SEC-25

Summary

Feature requirements not enforced correctly by adminbins.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Description

Several adminbin scripts did not properly verify the features enabled for the cPanel account running the adminbin script. This allowed cPanel users to perform some configuration functions that were disabled for the account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8

SEC-35

Summary

Arbitrary file overwrite via cpbackup-exclude.conf lock file.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

Description

The cPanel & WHM account backup system allows users to exclude files from backups by placing a file named cpbackup-exclude.conf in the user's home directory. During backup operations, this file was locked, opened, and read by root. An attacker could leverage this behavior to overwrite arbitrary files on the system.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8

SEC-36

Summary

Arbitrary code execution via relative RPATH in PostgreSQL binaries.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

Description

The incorrect LDFLAGS were passed to the PostgreSQL build process. This resulted in an invalid RPATH being added to the PostgreSQL shared objects and binaries used by cPanel & WHM. An attacker could use this flaw to execute arbitrary code if the binaries or libraries were loaded inside of the attacker's home directory.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8

SEC-37

Summary

Disclosure of files owned by nobody.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The cPanel & WHM account backup system records a list of files inside the user's home directory that are owned by the 'nobody' user. The list was generated while running with root privileges. This behavior allowed an attacker to discover the locations of files owned by the 'nobody' user inside paths the attacker could not traverse.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8

SEC-38

Summary

Arbitrary file overwrite via passwordforce lock file.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

Description

The forcepasswordchange WHM API call locks, reads, and writes the 'passwordforce' file inside a user's home directory. These operations were performed with root privileges, which allowed an attacker to overwrite arbitrary files on the system.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8

SEC-39

Summary

Arbitrary file append by updating an account's password.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

Description

When updating an account's password, the .my.cnf file in a user's home directory will be updated with the accounts new password. The modification of the .my.cnf file was being performed with root privileges, which allowed an attacker to append this data to other sensitive files on the system.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8

SEC-42

Summary

Email sending limits not enforced in jailshell.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)

Description

The email limits for an account are tracked using file in the /var/cpanel/email_send_limits directory. Inside a jailshell environment this directory was mounted read-only, preventing EXIM from enforcing the configured mail rate limits.

Credits

This issue was discovered by Matt Sheldon.

Solution

This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8

SEC-43

Summary

ModSecurity rules not enforced on default virtualhost.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Description

ModSecurity filtering is disabled for web traffic passed to the cPanel, WHM, and Webmail interfaces through proxydomains. The configuration directives used for this purpose incorrectly disabled ModSecurity filtering for all HTTP traffic directed at the server hostname or userdir URLs.

Credits

This issue was discovered by Alex Kwiecinski.

Solution

This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8

For the signed PGP version: http://news.cpanel.com/wp-content/uploads/2015/07/TSR-2015-0004-Disclosure.txt