The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2016-0003 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelCory, May 17, 2016.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2016-0003 Full Disclosure

    SEC-58

    Summary

    SQLite journal allowed for arbitrary file overwrite during Horde Restore.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.6 (AV:N/AC:H/Au:S/C:C/I:C/A:N)

    Description

    During a Horde restore using the old-style CSV data files, the SQLite database is opened as the user. However, actual writes were done as root, and SQLite does not open the journal file until these writes are made. This allowed the journal file to be opened as the root user permitting arbitrary files to be overwritten.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-109

    Summary

    Demo account arbitrary code execution via ajax_maketext_syntax_util.pl.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

    Description

    A Demo account user could execute code by passing certain maketext functions to the ajax_maketext_syntax_util.pl script. Demo accounts are now restricted from using the aforementioned script.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-110

    Summary

    Self XSS Vulnerability in Paper Lantern Landing Page.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The return_url parameter passed to the Paper Lantern landing page was not sufficiently encoded. This allowed an attacker to execute arbitrary code on the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24

    SEC-112

    Summary

    Limited denial of service via /scripts/killpvhost.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)

    Description

    The killpvhost script did not adequately escape the passed domain name when matching it against entries in the ProFTPD configuration file. By removing an account that contains regular expression metacharacters, an attacker could also cause the removal of a targeted account's dedicated IP address FTP configuration.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-113

    Summary

    /scripts/addpop and /scripts/delpop exposed TTY's.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    When running /scripts/addpop and /scripts/delpop, root's TTY could be leaked to an unprivileged user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-114

    Summary

    /scripts/checkinfopages exposed TTY to unprivileged process.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    When running /scripts/checkinfopages root's TTY could be leaked to an unprivileged user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-115

    Summary

    /scripts/maildir_converter exposed TTY to unprivileged process.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    When running /scripts/maildir_converter root's TTY could be leaked to an unprivileged user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-116

    Summary

    /scripts/unsuspendacct exposed TTY's.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    When running /scripts/unsuspendacct, root's TTY could be leaked to an unprivileged user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-117

    Summary

    /scripts/enablefileprotect exposed TTY's.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    When running /scripts/enablefileprotect, root's TTY could be leaked to an unprivileged user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-118

    Summary

    Self-XSS in ftp account creation under addon domains.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    Self-XSS existed in the FTP account creation section of the Addon Domain page due to unescaped HTML.

    Credits

    This issue was discovered by Saad Loukili.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24

    SEC-119

    Summary

    Demo restriction breakout via show_template.stor.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

    Description

    Inconsistencies in the way cpsrvd handled the document parameter allowed for the show_template.stor script to be executed in an unexpected context. This allowed for arbitrary code to be executed under demo accounts.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-120

    Summary

    Arbitrary file read for Webmail accounts via Branding APIs.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

    Description

    The cPanel API 1 Branding calls did not adequately validate the brandingpkg argument. This allowed for Webmail accounts to read arbitrary files under the owning cPanel account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-121

    Summary

    Webmail account arbitrary code execution through forwarders.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

    Description

    The cPanel API calls that allow modification of an account's email forwarding settings did not properly sanitize the provided forwarding options. This allowed Webmail accounts to inject shell commands into the forwarding system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-122

    Summary

    SSL certificate not verified during license updates.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

    Description

    The SSL certificate of the cPanel license server was not verified during license update requests.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.54.0.24

    SEC-123

    Summary

    SQL Injection via ModSecurity TailWatch log file.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

    Description

    When generating SQL statements for the ModSecurity TailWatch log file (used in the case that mysqld is not able to communicate), the values inserted into the statement were not properly interpolated. This allowed for arbitrary SQL to be injected into the file, which the admin of the server would then be prompted to run.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    SEC-124

    Summary

    Log file permissions not set correctly in dnsadmin-startup and spamd-startup.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

    Description

    When creating new log files, dnsadmin-startup and spamd-startup opened them with default world-readable permissions. This allows for potential leak of sensitive information.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15

    SEC-125

    Summary

    User log files become world-readable when rotated by cpanellogd.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    When rotating user log files, cpanellogd created the new empty files with world readable permissions. This could potentially allow for an attacker to read sensitive information.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.56.0.15
    11.54.0.24
    11.52.6.1
    11.50.6.2

    For the PGP-Signed version of this document please visit https://news.cpanel.com/wp-content/uploads/2016/05/TSR-2016-0003-disclosure.txt.
     
Loading...

Share This Page