The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2017-0004 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Jul 18, 2017.

  1. cPanelJackson

    cPanelJackson Product Owner - cPanel Security Team
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    21
    Likes Received:
    3
    Trophy Points:
    128
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2017-0004 Full Disclosure

    SEC-263

    Summary

    Stored XSS during WHM cPAddons install.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    It was possible for an attacker to actively inject HTML into the WHM cPAddons screen during a moderated install.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-264

    Summary

    Stored XSS during WHM cPAddons upgrades.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    While performing cPAddon upgrades in WHM, output from the upgrade script was displayed without HTML escaping.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-265

    Summary

    Stored XSS during WHM cPAddons file operations.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    It was possible for an attacker to actively inject HTML into the WHM cPAddons screen when the installation process did certain 'chmod' and 'chown' operations.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-266

    Summary

    Stored XSS during WHM cPAddons uninstallation.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    While performing cPAddon uninstalls in WHM, output from the 'rm' command was displayed without HTML escaping. This could allow for arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-267

    Summary

    Stored XSS during WHM cPAddons cron operations.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    During the WHM cPAddons install and uninstall processes, output from the 'crontab' command was not sufficiently HTML escaped.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-268

    Summary

    Stored XSS during moderated WHM cPAddons installation.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    While performing cPAddon installs in WHM, output from the 'chgrp' command was displayed without HTML escaping.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-269

    Summary

    Stored XSS in WHM cPAddons processing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    The cPAddons interfaces relied on a temporary file inside the user's home directory to buffer HTML output. When a reseller made cPAddons changes inside of the WHM interfaces for the user, this allowed the injection of HTML into the interface.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-271

    Summary

    Demo accounts allowed to create databases and users.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

    Description

    The mysql adminbin allowed demo accounts to create and delete databases and users.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45

    SEC-272

    Summary

    EasyApache 4 conversion sets loose domlog ownership and permissions.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    The conversion from EasyApache 3 to EasyApache 4 does not move virtualhost domlogs from the old location to the new location. This results in the logs being recreated by Apache with default world-readable permissions. The conversion script will now create the log files as necessary to ensure correct permissions and ownership are maintained.

    Credits

    This issue was discovered by Alex Kwiecinski.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-273

    Summary

    Domain log files become readable after log processing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    When Apache was configured with piped-logging and the domain log files were processed by cpanellogd, the logfiles would be left with world-readable permissions.

    Credits

    This issue was discovered by Alex Kwiecinski.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-274

    Summary

    Apache configuration file changed to world-readable when rebuilt.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    Changes to the Cpanel::AdvConfig module resulted in all AdvConfig managed subsystems getting world-readable configuration files when they were rebuilt. Cpanel::AdvConfig now defaults to the existing file permissions whenever the optional _target_conf_perms argument is not supplied.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45

    SEC-280

    Summary

    The cpdavd_error_log can be created with insecure permissions.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    If the cpdavd_error_log file is missing when cpdavd starts, then it is possible for it to be created with world-readable permissions. It is possible for sensitive data to be contained within this log. The permissions on this file are now reduced.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-288

    Summary

    Resellers can read other accounts domain log files.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

    Description

    Under certain situations domain log files are backed up with the file extensions ".bkup", ".bkup2" and ".offset". A reseller could create a domain with those extensions as a top level domain and gain access to read other user's domain log files. The aforementioned top level domains are no longer allowed during account creation.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-289

    Summary

    Insecure log file permissions after account modification.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    When changing the main domain name of the account, the log files for that domain were not renamed. This resulted in world-readable log files when Apache was restarted.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-290

    Summary

    Apache domlogs become temporarily world-readable during log processing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    During log processing, the Apache domain log files were moved out of their normal location. This created a race condition where any restart of Apache would log to the normal log file location with insecure permissions.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-291

    Summary

    Apache SSL domain logs left behind after account termination.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    The Apache logs for an account's SSL domain and subdomains were left behind by the account termination process. Resellers could recreate the deleted domains to gain access to the log data.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-294

    Summary

    Corrupted user and group ownership when using 'reassign_post_terminate_cruft'.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

    Description

    Under very specific file tree structures, it was possible for the script 'reassign_post_terminate_cruft' to corrupt the user and group ownership of symlinks.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    SEC-297

    Summary

    Self XSS Vulnerability in WHM Upload Locale interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When uploading a locale file in the WHM Upload Locale interface, page output containing the uploaded file name was not adequately escaped. This could allow for arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by Vahagn Vardanyan.

    Solution

    This issue is resolved in the following builds:
    66.0.2
    64.0.33
    62.0.27
    60.0.45
    58.0.52
    56.0.51

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/07/TSR-2017-0004.disclosure.signed.txt
     
Loading...

Share This Page