The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2016-0006 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Nov 22, 2016.

  1. cPanelJackson

    cPanelJackson Product Owner - cPanel Security Team
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    21
    Likes Received:
    3
    Trophy Points:
    128
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2016-0006 Full Disclosure

    SEC-158

    Summary

    Arbitrary file overwrite when account domain is modified.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

    Description

    When an account's domain name is modified, changes to the .htaccess file were performed as root. It was possible to take advantage of this in order to overwrite arbitrary files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-159

    Summary

    Stored XSS in WHM Repair Mailbox Permissions interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Description

    The output of the mailperm script that repairs permissions of mailbox related files did not properly escape file and directory names.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-160

    Summary

    Stored XSS Vulnerability in the WHM Manage cPAddons interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Description

    The cpaddons_report.cgi script was not properly escaping output when performing cPAddons management operations in WHM.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-161

    Summary

    File overwrite during preparation for MySQL upgrades.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:N/I:C/A:N)

    Description

    Before performing a MySQL upgrade the existing my.cnf is checked and updated with new values if needed. During this process it was possible for an unprivileged user to overwrite existing files. Now the handling of the my.cnf file is done in a secure directory to prevent any tampering.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-162

    Summary

    Open redirect via /cgi-sys/FormMail-clone.cgi.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

    Description

    There was an open redirect in the missing_fields_redirect parameter in FormMail-clone.cgi.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-164

    Summary

    Arbitrary file overwrites when updating Roundcube.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

    Description

    When updating Roundcube, file operations are performed in the user's home directory as root. It was possible to take advantage of this in order to overwrite arbitrary files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-165

    Summary

    File create and chmod via ModSecurity Audit logfile processing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

    Description

    The archiving and removal of per-user ModSecurity audit records was not assuring that the user's directory was the correct type and ownership. This allowed creating files and changing the permissions of files as the target user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-168

    Summary

    Enforce feature list restrictions when calling the multilang adminbin.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 1.7 (AV:L/AC:L/Au:S/C:N/I:P/A:N)

    Description

    The multilang adminbin did not check if the calling user had the multilang feature enabled.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-169

    Summary

    Arbitrary code execution for ACL limited resellers during account creation.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    A flaw in the new account creation process resulted the Ruby 'gem' command running with the effective UID of the newly created user and the real UID of root. A malicious reseller account could leverage this flaw to execute arbitrary Ruby code with root's UID during the account creation process.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.58.0.37
    11.56.0.39

    SEC-171

    Summary

    Format string injection in exception message handling.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

    Description

    The error messages generated by adminbin failures were passed through Locale::Maketext multiple times. This caused user-supplied data to be used as a format string.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25

    SEC-172

    Summary

    Self XSS Vulnerability in the tail_ea4_migration.cgi interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    The error output in the interface of the EasyApache 4 migration log in WHM was not properly encoded. This allowed an attacker to execute arbitrary code on the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25

    SEC-173

    Summary

    Arbitrary file chown via reassign_post_terminate_cruft.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:C/I:N/A:N)

    Description

    The reassign_post_terminate_cruft script did not adequately prevent changes being made to directories it is operating on. This allowed for an attacker to change the ownership of an arbitrary file.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-174

    Summary

    Stored XSS in homedir removal during WHM Account termination.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Description

    During account termination within WHM the error output during home directory removal was not encoded correctly.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-175

    Summary

    Stored XSS in MySQL database names during WHM Account termination.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Description

    The output of MySQL database names were not properly escaped during the account termination process.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-176

    Summary

    Stored XSS in perlinstaller directory removal in WHM Account Termination.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    During the account termination within WHM the error output during the perlinstaller directory removal was not encoded correctly.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-177

    Summary

    Self-XSS Vulnerability in WHM Tweak Settings for autodiscover_host.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    The WHM Tweak Settings interface for the the autodiscover_host configuration value can produce an error message that was not adequately encoded. This could allow an attacker to execute arbitrary code on the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-178

    Summary

    Self-Stored XSS Vulnerability in listftpstable API.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    The listftpstable API call did not adequately encode the FTP account's home directory. This allowed an attacker to inject arbitrary code into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-179

    Summary

    Stored XSS in api1_listautoresponders.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Description

    In custom themes, a call to api1_listautoresponders could produce output provided by an attacker via Webmail to the cPanel user that was not properly encoded.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-180

    Summary

    Self-XSS Vulnerability in UI_confirm API.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The UI_confirm API call did not adequately encode form element names. This allowed for an attacker to inject arbitrary code into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-181

    Summary

    Self-Stored XSS in postgres API1 listdbs.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    Database names were not properly HTML encoded when listed by the Postgres listdbs api1 call.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-182

    Summary

    Self-Stored XSS in SSL_listkeys.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    In a deprecated API1 call to list SSL keys content could be printed out that was not properly encoded.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-184

    Summary

    Self-XSS in alias upload interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    An improperly named alias backup file uploaded to cPanel could produce an error message that was not properly encoded.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-185

    Summary

    Sensitive file contents revealed during file copy operations.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The Cpanel::FileUtils::Copy::safecopy() function did not preserve the source file's permissions during copy operations. This allowed other users to read sensitive files while the file copy was taking place.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-186

    Summary

    Apache SSL keys readable by the nobody group.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

    Description

    Apache SSL private key files were readable by the nobody group. This allowed unprivileged users to read the keys under certain Apache configurations.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-187

    Summary

    Host Access Control improperly handles action-less host.deny entries.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

    Description

    Manually added entries to /etc/hosts.deny without an action specified were converted to allow action when the Host Access Control Page in WHM was used.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-188

    Summary

    Arbitrary code execution via Maketext in PostgreSQL adminbin.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

    Description

    In an error condition, the PostgreSQL adminbin passed user controlled text as part of a Locale::Maketext format string. By triggering an error in an SQL query used by the adminbin, it was possible to execute arbitrary code as root.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-191

    Summary

    Code execution via cpsrvd 403 response handler.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

    Description

    In some error conditions, cpsrvd used the requested filename in a Locale::Maketext format string while generating 403 responses.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    SEC-192

    Summary

    HTTP POST to listinput.cpanel.net does not use TLS.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

    Description

    subscribe_to_mailing_list did not use HTTPS which could have allowed the leaking of email addresses.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.60.0.25
    11.58.0.37
    11.56.0.39
    11.54.0.33

    For the PGP-Signed version of this disclosure please visit https://news.cpanel.com/wp-content/uploads/2016/11/TSR-2016-0006.disclosure.txt
     
Loading...

Share This Page