Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel TSR-2017-0005 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Sep 19, 2017.

  1. cPanelJackson

    cPanelJackson Product Owner - cPanel Security Team
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    23
    Likes Received:
    4
    Trophy Points:
    128
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2017-0005 Full Disclosure

    SEC-276

    Summary

    SQL injection in eximstats processing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

    Description

    When processing eximstats updates in buffered mode, errors in the SQL operations cause the updates to be reprocessed one statement at a time. The logic used to split multiple SQL statements back into individaul SQL statements was faulty. This resulted in data being processed as SQL commands.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40

    SEC-279

    Summary

    SSL hostname verification for support agreement download not enforced.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

    Description

    There was no hostname verification for the support agreement download when creating a support ticket through WHM. This allowed for a user to be subject to a MITM attack.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48

    SEC-282

    Summary

    Stored XSS Vulnerability in WHM MySQL Password Change Interfaces.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    When changing the MySQL password for the root user, various scripts are called to update subsystems that rely on this password. One of these scripts updates the Roundcube databases and outputs a list of virtual email accounts. This list was not adequately encoded before displaying to the user and allowed an attacker to inject arbitrary code on the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    SEC-283

    Summary

    cPanel backup interface could return a backup with all MySQL databases.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    With specific database names it was possible for a backup returned by getsqlbackup to contain all MySQL databases on the server, including databases the user did not own.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    SEC-284

    Summary

    User account backups could contain all MySQL databases on the server.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    With specific database names it was possible for an account backup to contain all MySQL databases on the server, including databases the user did not own.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    SEC-285

    Summary

    Addon domain conversion can copy all MySQL databases to the new account.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

    Description

    It was possible for a reseller account to preform an addon domain conversion and the resulting account would be given a copy of every MySQL table on the server.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    SEC-296

    Summary

    Account rename can result in Apache logfiles becoming world-readable.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    When modifying the account's main domain name, there was a small interval between when the Apache log files are renamed, and when httpd restarts. During this interval, if the site is accessed, Apache would create the logs as world-readable. This allowed for a leak of potentially sensitive data.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    SEC-299

    Summary

    Backup system overwrites root's home directory when mount disappears.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    Description

    When performing an account backup, the backup script will chdir() to the backup directory. If a file system failure is occurring when this chdir() is made, it is possible for the directory to be changed to root's home directory. This can allow for files within this directory to be overwritten.

    Credits

    This issue was discovered by NameCheap, Inc..

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    SEC-300

    Summary

    Open redirect in /unprotected/redirect.html.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

    Description

    The goto_uri parameter of /unprotected/redirect.html could be used as an open redirect to a potentially harmful domain.

    Credits

    This issue was discovered by Fredrik Almroth.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    SEC-302

    Summary

    Code execution as mailman user due to faulty environmental variable filtering.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Description

    The blacklist environmental variable filtering in Mailman allowed variables that could influence the operation of the Python interpreter. On cPanel & WHM systems, this faulty filtering allowed local users to run arbitrary code as the shared mailman user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    SEC-303

    Summary

    Arbitrary file overwrite via Roundcube SQLite schema update.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

    Description

    During Roundcube SQLite schema updates, the SQLite database files were opened by root inside the user's home directory. This could allow for arbitrary files to be created or overwritten on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    66.0.23
    64.0.40
    62.0.30
    60.0.48
    56.0.52

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/09/TSR-2017-0005.disclosure.signed.txt
     
Loading...

Share This Page