The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2017-0001 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Jan 17, 2017.

  1. cPanelJackson

    cPanelJackson Product Owner - cPanel Security Team
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2017-0001 Full Disclosure

    SEC-196

    Summary

    Fixed password used for Munin MySQL test account.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

    Description

    The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel's current configuration of Munin, this MySQL user is no longer required and has been removed.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-197

    Summary

    Self-XSS in paper_lantern password change screen.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    Certain form variables on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-198

    Summary

    Reflected XSS in reset password interfaces.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

    Description

    The user form variable on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43

    SEC-199

    Summary

    Self-XSS in webmail Password and Security page.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

    Description

    Certain form variables on the webmail password and security page could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-201

    Summary

    Arbitrary file read via Exim valiases.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)

    Description

    When processing the valiases for a user, Exim was running as the root user. By creating a valias that included other files, an attacker was able to read arbitrary files as the root user.

    Credits

    This issue was discovered by RACK911Labs.com.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43

    SEC-204

    Summary

    Exim piped filters ran as wrong user when delivering to a system user.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

    Description

    Piped commands executed by the central_user_filter were run as the nobody user. Now the filters are run as the system user's UID.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-205

    Summary

    Leech Protect did not protect certain directories.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    Description

    The Leech Protect system allows admins to detect unusual amounts of activity on password protected directories. This system was not functioning on directories with a two character name.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-206

    Summary

    Exim transports could be run as the nobody user.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

    Description

    It was possible to run exim transports as the nobody user if the receiving email domain was removed during delivery. Transports will now run as the proper user even if the domain no longer exists.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-207

    Summary

    Improper ACL checks in xml-api for Rearrange Account.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    Using the 'fetch_transfer_session_log' API, it was possible to fetch transfer information created by other resellers. This could reveal potentially sensitive information to an attacker.

    Credits

    This issue was discovered by RACK911Labs.com.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-209

    Summary

    SSL certificate generation in WHM used an unreserved email address.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    In WHM, if you generate a certificate using the "Generate an SSL Certificate and Signing Request" interface and select "When complete, email me the certificate, key, and CSR", it used "admin@<hostname>" as the from address. The account name "admin" is not reserved in cPanel & WHM, so if this account was created, it would intercept any replies or bounces.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-210

    Summary

    Account ownership not enforced by has_mycnf_for_cpuser WHM API call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

    Description

    The has_mycnf_for_cpuser WHM API call did not verify the caller's ownership of the specified account. This could allow for a limited amount of information about the user's MySQL configuration to be leaked.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-211

    Summary

    Stored XSS Vulnerability in WHM Account Suspension List interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Description

    When viewing the WHM Account Suspension List with the 'nohtml' flag enabled, the response to the browser was sent with the 'Content-type' header set to 'test/html'. This caused text to be misinterpreted as html markup.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-212

    Summary

    Format string injection vulnerability in cgiemail.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

    Description

    The ability to supply arbitrary format strings to cgiemail and cgiecho allowed code execution whenever a user was able to provide a cgiemail template file. Format strings in cgiemail templates are now restricted to simple %s, %U and %H sequences.
    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-213

    Summary

    WHM 'enqueue_transfer_item' API allowed resellers to queue non rearrange modules.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)

    Description

    The 'enqueue_transfer_item' API allowed resellers with the 'rearrange-accts' ACL to add items from arbitrary Whostmgr::Transfers::Session modules. This could have potentially allowed for a reseller with the 'rearrange-accts' ACL to initiate a remote transfer or perform other restricted operations.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.4
    60.0.35
    58.0.43
    56.0.43

    SEC-214

    Summary

    Open redirect vulnerability in cgiemail.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

    Description

    The cgiemail and cgiecho binaries served as an open redirect due to their handling of the "success" and "failure" parameters. These redirects are now limited to the domain that handled the request.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-215

    Summary

    HTTP header injection vulnerability in cgiemail.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

    Description

    Case SEC-215: The handling of redirects in cgiemail and cgiecho did not protect against the injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    SEC-216

    Summary

    Reflected XSS vulnerability in cgiemail addendum handling.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

    Description

    The "addendum" parameter was reflected without any escaping in success and error messages produced by cgiemail and cgiecho. This output is now html escaped.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    60.0.35
    58.0.43
    56.0.43
    54.0.36

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/01/TSR-2017-0001.disclosure.signed.txt
     
Loading...

Share This Page