The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2016-0001 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, Jan 26, 2016.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2016-0001 Full Disclosure

    SEC-46

    Summary

    Arbitrary code execution via unsafe @INC path.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

    Description

    The Perl scripts that collectively make up the cPanel & WHM product were not uniformly filtering the current working directory '.' from Perl's module library load path (@INC). Under some circumstances, this allowed an attacker with the ability to modify the contents of the working directory to run arbitrary code as the user who executes the script.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-69

    Summary

    Limited arbitrary file modification during account modification.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Description

    During account modification, file changes were performed as the root user inside the cPanel account's home directory. By creating a symbolic link in certain locations, an attacker was able to modify arbitrary files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-70

    Summary

    Arbitrary file read via bin/fmq script.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:C/I:N/A:N)

    Description

    The bin/fmq script performed unsafe file operations within a user's home directory. By creating a symlink to an arbitrary file, an attacker was able read otherwise inaccessible files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-71

    Summary

    SQL injection vulnerability in bin/horde_update_usernames.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

    Description

    The bin/horde_update_usernames script performed SQL queries without the adequate escaping of untrusted data. This allowed the injection of arbitrary SQL statements.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-72

    Summary

    Arbitrary code execution vulnerability during locale duplication.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    During the execution of locale_duplicate.cgi, temporary files were created in an unsafe manner. By careful manipulation of the temporary files, an attacker could inject and execute arbitrary shell commands.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-73

    Summary

    Password hashes revealed by bin/mkvhostspasswd script.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The bin/mkvhostspasswd script creates a temporary working file while updating the passwd.vhosts file. The permissions on this temporary file were in an insecure state momentarily. This allowed an attacker to read the file's contents.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-74

    Summary

    Limited arbitrary file read in bin/setup_global_spam_filter.pl.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

    Description

    The bin/setup_global_spam_filter.pl script performed unsafe file operations in the home directory of the cPanel accounts as the root user. By manipulating the input files, an attacker was able to view the content of arbitrary files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-76

    Summary

    Code execution as shared users via JSON-API.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)

    Description

    The cPanel URL dispatch logic for JSON and XML API calls allowed cPanel and Webmail accounts to call API commands while running with the privileges of shared user accounts.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-77

    Summary

    Password hash revealed by chcpass script.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The scripts/chcpass script allowed the crypted form of a user's password stored in the /etc/shadow file to be updated. It took the crypted password as a command line argument, exposing this information to other users on the system. This code was not actively used by the cPanel & WHM product and has been removed.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-78

    Summary

    Arbitrary file overwrite in scripts/check_system_storable.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    By default, the check_system_storable script created a predictable .tmp file in an insecure location. This allowed an attacker to overwrite arbitrary files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-79

    Summary

    Arbitrary file chown/chmod during Roundcube database conversions.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 5.9 (AV:A/AC:H/Au:S/C:C/I:C/A:N)

    Description

    During the MySQL to SQLite database conversion process for Roundcube, a chown and chmod was performed as the root user within a user-writable directory. This allowed an attacker to gain control of arbitrary files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-80

    Summary

    Arbitrary file read and write via scripts/fixmailboxpath.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.5 (AV:N/AC:L/Au:S/C:C/I:P/A:N)

    Description

    The fixmailboxpath script performed file read and write operations as root inside the cPanel users' home directories.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-81

    Summary

    Arbitrary file overwrite in scripts/quotacheck.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)

    Description

    The quotacheck script performed reads and writes of files in cPanel users' home directories while running as the root user. This allowed an attacker to overwrite arbitrary files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-82

    Summary

    Limited arbitrary file chmod in scripts/secureit.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    During the cPanel installation process, the secureit script searches the /usr/ directory for setuid and setgid files. After filtering this list, it removes the setuid and setgid bits from any remaining files. The filtering logic did not account for the world-writable ModSecurity audit log directory, which allowed an attacker to remove the setuid and setgid bits from arbitrary files or folders on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-83

    Summary

    Arbitrary code execution via scripts/synccpaddonswithsqlhost.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

    Description

    Unsafe file operations within a user's home directory in combination with a string eval allowed an attacker to execute arbitrary code as root when the synccpaddonswithsqlhost script was executed.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-84

    Summary

    Self-XSS in WHM PHP Configuration editor interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    The SMTP field was not sufficiently escaped when displayed on the WHM PHP Configuration editor output in Advanced Mode.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-85

    Summary

    Missing ACL enforcement in AppConfig subsystem.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    AppConfig did not perform proper ACL or feature list checks when a "user" was not specified or the "dynamic_user" functionality was used. In these circumstances a user could access the app regardless of any ACLs or feature requirements.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-86

    Summary

    Stored XSS in WHM Feature Manager interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Description

    Package names were not sufficiently escaped when displayed on the WHM Feature Manager interface.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4

    SEC-87

    Summary

    Self-XSS in X3 Entropy Banner interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I/A:N)

    Description

    The "link" variable was not sufficiently escaped when displayed on the changelink.html page in the X3 Entropy Banner interfaces.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    SEC-91

    Summary

    Unauthenticated arbitrary code execution via cpsrvd.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

    Description

    cPanel & WHM's internal web server, cpsrvd, did not correctly filter the request URI when processing incoming requests. Due to this, it was possible for an unauthenticated attacker to read arbitrary files and execute arbitrary scripts.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.4
    11.52.2.4
    11.50.4.3
    11.48.5.2

    For the PGP Signed version of this disclosure please visit https://news.cpanel.com/wp-content/uploads/2016/01/TSR-2016-0001-Disclosure.txt
     
Loading...

Share This Page