Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2018-0001 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Jan 23, 2018.

  1. cPanelJackson

    cPanelJackson Release Manager
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    40
    Likes Received:
    11
    Trophy Points:
    133
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2018-0001 Full Disclosure

    SEC-308

    Summary

    SRS secret revealed in exim.conf.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    When the experimental SRS option for Exim was enabled, the secret key used to sign SRS email was visible inside the exim.conf file. This setting is now stored in a separate file that is not world-readable.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-321

    Summary

    Database and dbuser names were not validated during renames.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    When renaming a database or database user via either the MySQL or PostgreSQL adminbins, the new name was not verified to meet cPanel's naming requirements. This allowed an attacker to create databases or database users with reserved or invalid names.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-324

    Summary

    Ownership not enforced by addpkgext and delpkgext WHM API calls.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

    Description

    The "addpkgext" and "delpkgext" WHM API calls did not restrict modifications to packages and accounts that the reseller was authorized to change. These API calls now restrict modifications based on package and account ownership if the reseller does not have the "all" ACL.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.27

    SEC-339

    Summary

    Backups revealed contents of directories that the user did not own.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

    Description

    During a backup it was possible to lead the process into directories that the user did not own. The file and directory paths would then be saved to a file that was readable by the user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-342

    Summary

    Root's crontab briefly world-readable when enabling backups.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    When enabling backups, it is sometimes necessary to add new entries to root's crontab. To perform this change, a temporary file was created with a predictable name and world-readable permissions. This allowed the crontab to be read by normal users during this action.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-349

    Summary

    Arbitrary file read via restore adminbin.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    Race conditions in the RESTOREFILE functionality of the restore adminbin could be misused by local attackers to read any files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.27

    SEC-351

    Summary

    Root's crontab briefly world-readable during crontab configuration.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    When saving changes to root's crontab through the "Configure cPanel Cron Jobs" interface in WHM, a temporary file containing root's crontab was created with world-readable permissions.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-352

    Summary

    Root's crontab briefly world-readable during post update tasks.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    During cPanel updates, root's crontab was exposed in a world-readable temporary file by the post install task to update cPAddons.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-353

    Summary

    World-readable copy of httpd.conf created during syntax test.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    During httpd.conf updates on systems using EasyApache4, a copy of the httpd.conf file was created with world-readable permissions.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-354

    Summary

    Insecure file operations in bin/csvprocess.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

    Description

    The csvprocess script performed file operations on predictably named files in the current working directory. If this script was run by the root user in a user-controlled directory, it was possible for an attacker to cause root owned files to be overwritten. This script has been removed and its functionality moved into the API call that previously utilized this script.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-355

    Summary

    World-readable archive created by archive_sync_zones script.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    When scripts/archive_sync_zones generated a backup file, the resulting archive was created with world-readable permissions.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-356

    Summary

    Limited arbitrary file write via telnetcrt script.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

    Description

    The telnetcrt script attempted to change directory to a safe location to write temporary files without verifying the directory existed or that the change of directory was successful. If this script was run manually in a world-writable directory, a local attacker could symlink the temporary filenames to unsafe locations. This script is no longer used by cPanel and has been removed.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-383

    Summary

    Self-XSS in cPanel Backup Restoration.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When rendering the list of files that are restored from a partial backup, appropriate HTML escaping was not performed. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by Fabian Patrik of WebSafe.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-385

    Summary

    Self-XSS in WHM Apache Configuration Include Editor.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When rendering invalid syntax after saving new Apache includes, the context appropriate escaping was not performed. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by Fabian Patrik of WebSafe.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-386

    Summary

    Self-Stored-XSS in WHM Account Transfer.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    Account usernames were not properly HTML escaped in the transfer log header when using the Remote User Account Transfer interface in WHM. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by Fabian Patrik of WebSafe.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-387

    Summary

    Self-XSS in WHM Spamd Startup Config.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When saving spamd directives in WHM Spamd Startup Config, invalid configuration values were displayed without appropriate HTML escaping. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by Fabian Patrik of WebSafe.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-388

    Summary

    World-readable files created when using WHM Apache Includes Editor.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    When modifying the Apache Includes via the WHM Apache Includes Editor, the new configuration is created with world-readable permissions. This allowed for this configuration to be viewed by non-privileged users.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    SEC-389

    Summary

    Self-XSS in WHM listips interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    The WHM /scripts2/listips interface did not escape user input and backend error messages when displaying javascript notices.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    68.0.27
    66.0.35
    62.0.39

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/01/TSR-2018-0001.disclosure.signed.txt
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice