The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2017-0003 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, May 17, 2017.

  1. cPanelJackson

    cPanelJackson Product Owner - cPanel Security Team
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    21
    Likes Received:
    3
    Trophy Points:
    128
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2017-0003 Full Disclosure

    SEC-234

    Summary

    Horde MySQL to SQLite conversion can leak database password.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    If the Horde MySQL to SQLite conversion script requires a password reset on the MySQL database, the new password was passed to the reset script as a command line argument. This password was visible to possible attackers in a `ps` process listing.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-236

    Summary

    Code execution for webmail and demo accounts with the store_filter API call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Description

    Webmail and demo accounts are normally not allowed to perform code execution on a system. It was possible to circumvent this protection using the store_filter API call.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-237

    Summary

    Code execution as root via SET_VHOST_LANG_PACKAGE multilang adminbin call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Description

    The SET_VHOST_LANG_PACKAGE command of the multilang adminbin did not adequately validate the package parameter passed to it. An attacker could pass in an arbitrary PHP package value, which allowed for arbitrary code to run as the root user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-238

    Summary

    Demo account code execution with BoxTrapper API.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

    Description

    It was possible to use the BoxTrapper API as a demo user to upload files and execute them. The BoxTrapper API now forbids use by demo users.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-239

    Summary

    Demo account file read vulnerability in Fileman::getfileactions API2 call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.5 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    The Fileman::getfileactions API2 call allowed demo accounts users to read the contents of arbitrary files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-240

    Summary

    Webmail account arbitrary code execution via forwarders.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

    Description

    The cPanel API calls that allow modification of an account's email forwarding settings did not properly sanitize the forwarding options that were provided. This allowed webmail accounts to inject shell commands into the forwarding system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-241

    Summary

    Webmail arbitrary file write with addforward API call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

    Description

    A webmail user could use the addforward API1 call to setup an email forwarder to a file. This would allow the webmail user to write to any file location owned by the cPanel account. Now, webmail users can only add forwarders to valid email addresses.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    56.0.49

    SEC-242

    Summary

    Demo account code execution through Encoding API calls.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The Encoding API calls relied on the guess_file_encoding script to determine the character encoding of the specified file. This script was vulnerable to XML External Entity attacks that could be escalated to full code execution with some inputs.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-243

    Summary

    Demo account code execution via ImageManager_dimensions API call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The ImageManager_dimensions API call invokes the ImageMagick identify utility. Due to possible vulnerabilities within the ImageMagick utilities, this could have been used to execute arbitrary code under a demo account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-244

    Summary

    Demo users have access to traceroute via api2.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    The traceroute api2 call was available to demo users, but the api1 traceroute call was blocked for those same users. Now, both api1 and api2 calls function in similar ways and block execution by demo users.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-245

    Summary

    Demo accounts able to redirect web traffic.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

    Description

    The API1 commands to redirect the website traffic to parked domains were not implementing Demo mode restrictions correctly.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-246

    Summary

    Cpanel::SPFUI API commands are available to demo accounts.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    Description

    The Cpanel::SPFUI API commands are available to demo accounts. It was possible to use these API commands to change the SPF records for a demo domain. This allowed an attacker to send email for the domain on an external system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-247

    Summary

    Demo and suspended accounts allowed to port-forward via SSH.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

    Description

    The shell configuration for Demo and Suspended accounts allowed traffic to forward through SSH. This has been addressed by adding these accounts to the "cpanelsuspended" and "cpaneldemo" groups, and explicitly blocking these groups in the sshd_config file.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-248

    Summary

    Cpanel SSH API commands are allowed for Demo accounts.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    Description

    The Cpanel SSH API commands are allowed for demo accounts. This allowed for demo users to generate, upload, and authorize SSH keys. This also allowed for changes to be made to the filesystem and could enable further attacks.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-249

    Summary

    Demo restrictions not enforced in SSL API calls.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    The cPanel API1, API2 and UAPI calls for SSL operations in cPanel did not enforce demo mode restrictions correctly. This allowed demo accounts to modify the demo domain's SSL configuration.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-250

    Summary

    File read and write for demo accounts in SourceIPCheck API.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

    Description

    It was possible to use the SourceIPCheck API calls to read and write to files that the targeted demo account could access. Now, most SourceIPCheck API calls are no longer available to demo users.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-251

    Summary

    Code execution for Demo accounts via ClamScanner_getsocket API.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The ClamScanner_getsocket API command takes the location of the clamd binary as an argument. This is used as part of a shell command to find the current clamd socket file. It was possible to inject arbitrary shell commands into this argument, allowing for arbitrary code execution under Demo accounts.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-252

    Summary

    Limited file read via Serverinfo_manpage API call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    Description

    The Serverinfo_manpage API call accepts a parameter to select the displayed manpage. This parameter is vulnerable to a path traversal attack. This potentially allowed for an attacker to read some files on the calling account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-254

    Summary

    Limited file rename as root via scripts/convert_roundcube_mysql2sqlite.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

    Description

    The scripts/convert_roundcube_mysql2sqlite script calls out to shell commands via the system() function while in a reduced privileges state. If a user's email virtual name contained special characters, the command would be invoked via the system shell. This would restore root privileges and invoke the command as root. This allowed for an attacker to rename files and/or copy them into a user accessible location.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-255

    Summary

    Limited file chmod in /scripts/convert_roundcube_mysql2sqlite.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.5 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

    Description

    During the Roundcube SQLite conversion process, it was possible to chmod a limited set of files with elevated privileges by taking advantage of a race condition.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-257

    Summary

    User crontab publicly visible during cPAddon upgrades.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    Description

    The functionality for adding and removing cron jobs for cPAddons, exposed the user's crontab by placing a copy in the user's public Apache docroot.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-259

    Summary

    Code execution via Rails configuration files.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

    Description

    The Ruby on Rails settings for an account were stored in the account's userdata directory in a way that would conflict with identically named domains. This could be abused to inject arbitrary configuration data into the Apache configuration file.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-260

    Summary

    Supplemental groups lost during account renames.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

    Description

    During account modifications, the supplemental groups a user belonged to were not updated to reflect a changed user name. This could potentially leak access to sensitive groups to subsequent accounts created with the same username.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    64.0.21
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    SEC-262

    Summary

    Stored XSS in WHM cPAddons install interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.2 AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

    Description

    When installing a cPAddon, if the installation of the cron jobs failed, the interface did not HTML encode the resulting error message. This could allow for arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.24
    60.0.43
    58.0.49
    56.0.49

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/05/TSR-2017-0003.disclosure.signed.txt
     
Loading...

Share This Page