cPanel TSR-2016-0004 Full Disclosure

cPanelCory

Release Manager - EasyApache
Staff member
Jan 18, 2008
69
5
133
Houston
cPanel Access Level
Root Administrator
cPanel TSR-2016-0004 Full Disclosure

SEC-130

Summary

Apache logfiles start with loose permissions.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:L/AC:L/Au:S/C:P/I:N/A:N)

Description

The Apache domlogs were originally populated with loose permissions during creation.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.4
11.56.0.27
11.54.0.26
11.52.6.2

SEC-133

Summary

WHM 'Purchase and Install an SSL Certificate' page lists all server domains.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description

Under the WHM 'Purchase and Install an SSL Certificate' page, resellers could view all domains present on the server, rather than just those that they own. This could be used for domain name enumeration.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.4
11.56.0.27

SEC-134

Summary

File ownership change to 'nobody' via rearrangeacct.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

Description

The method used to re-assign ownership of files to the 'nobody' user in rearrangeacct was subject to a time-of-check/time-of-use vulnerability. It was possible for an attacker to take limited advantage of this to cause the ownership of a file to be assigned to the 'nobody' user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.4
11.56.0.27

SEC-137

Summary

Set the pear tmp directory during php install.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 1.0 (AV:L/AC:H/Au:S/C:N/I:P/A:N)

Description

When pear is installed, the default tmp directory was under /tmp. Other RPM's use pear and write predictable tmp files. The tmp directory was moved to /root to prevent anyone from tampering with these files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.4
11.56.0.27
11.54.0.26
11.52.6.2

SEC-138

Summary

Demo mode breakout via Site Templates and Boxtrapper API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Description

Using a combination of the Site Templates and Boxtrapper API calls, it was possible to create a php file and have it placed in the account's home directory. This allowed for an attacker to break out of a demo mode account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.4
11.56.0.27

SEC-139

Summary

Improper session handling for shared users.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

Description

The session storage location for the shared PHP web applications that run under cpsrvd was misconfigured. This allowed certain types of PHP object injection attacks.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.4
11.56.0.27
11.54.0.26

SEC-142

Summary

Code execution as other user accounts through the PHP CGI handler.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

Description

Under some configurations the CGI PHP handler would execute PHP scripts as the wrong user and group.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.4
11.56.0.27
11.54.0.26
11.52.6.2

For the PGP-Signed version of this document please visit https://news.cpanel.com/wp-content/uploads/2016/07/TSR-2016-0004.disclosure.txt