The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2016-0002 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, Mar 22, 2016.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2016-0002 Full Disclosure

    SEC-31

    Summary

    Daemons can access their controlling TTY.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

    Description

    Daemonized code is not fully detached from from its parent process. This allows an attacker to control a TTY they do not own.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-75

    Summary

    scripts/addpop discloses password in process list.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

    Description

    The addpop and cpanel-email.pl scripts both expose passwords to other users via the process list when using the '--password' flag. This behavior can be prevented by not using the '--password' flag and entering the password during the execution of the script.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-88

    Summary

    Self XSS Vulnerability in X3 Reseller Branding Images.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The branding package name was not adequately encoded when used to generate a path to branded images. An attacker was able to take advantage of this to inject arbitrary code into the rendered pages.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-89

    Summary

    MakeText interpolation allows arbitrary code execution as root.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

    Description

    Before a reseller's branding configuration was processed, an incomplete user switch was performed that allowed for a switch back to the root user. When combined with a specifically crafted MakeText interpolated string, arbitrary code can be run as the root user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-90

    Summary

    Unauthenticated arbitrary code execution via DNS NS entry poisoning.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

    Description

    Under some configurations, the server fetched DNS nameserver settings from remote DNS servers when a domain alias is created. The retrieved nameserver records were used in an insecure manner, which allowed arbitrary code execution as root during the domain alias creation process.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-92

    Summary

    Bypass Security Policy by faking static documents.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

    Description

    It was possible to bypass any security policies by ending a request in a static document extension type. Now static document requests are checked to be valid before the document request is passed through.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-93

    Summary

    Bypass Two Factor Authentication with DNS clustering requests.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

    Description

    In certain environments it was possible to bypass two factor authentication by using connections established by a DNS cluster request. Now when a connection performs a DNS cluster request, only DNS cluster requests will be allowed on that connection.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-96

    Summary

    Self-Stored-XSS in WHM Edit System Mail Preferences.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    Using the API command to set the forwarding email to a piped value was unescaped when displayed in WHM. This value is now escaped properly.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1

    SEC-97

    Summary

    Arbitrary code execution via unsafe @INC path.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    Several perl scripts that are unlikely to be executed directly on cPanel & WHM systems were missed during the initial implementation of global @INC filtering in TSR-2016-0001.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-99

    Summary

    Arbitrary file read due to multipart form processing error.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N)

    Description

    The Cpanel::Form::parseform() function was found to mishandle multipart data fields in a way that allowed arbitrary files to be read in several WHM interfaces.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-100

    Summary

    ACL bypass for AppConfig applications via magic_revision.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)

    Description

    The magic_revision component of a URL is not properly accounted for when determining if a particular URL belongs to an AppConfig registered application. Because of this, it is possible to bypass ACLs required to run the application.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-101

    Summary

    Force two factor auth check when possessing another account.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

    Description

    A high privileged reseller could bypass the two factor authentication security policy by possessing another account. Users will now need to enter their own two factor authentication token when logging in by possessing an account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20

    SEC-102

    Summary

    FTP cPHulk bypass via account name munging.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The pureauth script used by PureFTPD performs some munging of the FTP username before verifying the password. The user name provided to cPHulkd is set before this munging occurs. When authenticating via FTP, cPHulkd does not consider usernames with different junk characters as the same user for each login attempt. Because of this, the login limit number is never reached and a block is never put into place.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-104

    Summary

    Username based blocking broken for PRE requests in cPHulkd.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    Description

    The cPHulk daemon no longer signals a failure when a username is blocked during a PRE action. If the IP address was not blocked, then a success message was sent unconditionally.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-105

    Summary

    Account suspension bypass via ftp.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

    Description

    Certain accounts could be added to FTP accounts via the API that are considered system wide accounts and are able to bypass the account being suspended. Hardening the check of the account now prevents the bypassing of account suspension.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-107

    Summary

    POP/IMAP cPHulk bypass via account name munging.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The cPanel email authentication performs some munging of the mail username before verifying the password. The username provided to cPHulkd is set before this munging occurs. When authenticating via mail, cPHulkd does not consider username with different junk characters as the same user for each login attempt. Because of this, the login limit number is never reached and a block is never put into place.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    SEC-108

    Summary

    Arbitrary file read when authenticating with caldav.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

    Description

    It was possible to send specially crafted authentication credentials to the caldav port that would allow you to read certain parts of the targeted file.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.20
    11.52.4.1
    11.50.5.2

    For the PGP-Signed version of this Disclosure please visit https://news.cpanel.com/wp-content/uploads/2016/03/TSR-2016-0002-disclosure.txt
     
Loading...

Share This Page