Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2018-0002 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Mar 20, 2018.

  1. cPanelJackson

    cPanelJackson Release Manager
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    42
    Likes Received:
    11
    Trophy Points:
    133
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2018-0002 Full Disclosure

    SEC-338

    Summary

    Arbitrary file chmod during legacy incremental backups.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

    Description

    It was possible for a user to prepare their home directory in a way that after a series of incremental backups they could chmod arbitrary files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-357

    Summary

    Self-XSS in WHM cPAddons showsecurity Interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    The addon parameter to the cPAddons showsecurity interface is not adequately encoded when included in the final rendered page. This allowed for arbitrary scripts to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33

    SEC-359

    Summary

    Code execution via '.' in @INC during perl syntax check of cpaddonsup.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

    Description

    The syntax check performed during /scripts/cpaddonsup did not use the fully qualified path to the cPanel distributed perl interpreter. This could allow an attacker to execute arbitrary code if root executed this script in a user controlled directory.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-362

    Summary

    Demo account code execution via awstats.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The awstats application can be abused to execute arbitrary code on the server. This can be used by demo accounts to execute arbitrary code.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-364

    Summary

    Root accesshash revealed by WHM /cgi/trustclustermaster.cgi.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

    Description

    A logic error in /cgi/trustclustermaster.cgi potentially exposed root's accesshash when executed by a reseller with the DNS Clustering ACL.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-368

    Summary

    OpenID providers can inject arbitrary data into cPanel session files.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

    Description

    cPanel session files are not capable of handling values including newlines. When linking accounts, OpenID Connect provider data is directly passed from the remote provider into the session. If this data includes a newline, it is possible to corrupt the session, allowing login to non-linked accounts.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-369

    Summary

    Stored XSS in WHM Edit DNS Zone.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    When saving a modified DNS zone, the MX records are parsed in order to reconfigure mail routing. This parsing process is not correct and processes non-MX records by mistake. This in combination with insufficient encoding of output error messages allowed for an attacker to inject arbitrary code into the rendered page when a DNS zone is saved.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-370

    Summary

    Stored XSS in WHM Edit MX Entry.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    When saving a modified MX record, the MX records are parsed in order to reconfigure mail routing. This parsing process is not correct and processes non-MX records by mistake. This in combination with insufficient encoding of output error messages allowed for an attacker to inject arbitrary code into the rendered page when a MX record is saved.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-372

    Summary

    Remote Stored XSS in WHM DNS Cluster.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When viewing the list of currently configured DNS Cluster server members, the server version did not perform context appropriate escaping. This could allow an attacker to execute arbitrary code in the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-373

    Summary

    Remote Stored XSS in WHM Create Account.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When creating an account while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-374

    Summary

    Remote Stored XSS in WHM Edit DNS Zone.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When editing DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-375

    Summary

    Remote Stored XSS in WHM Delete a DNS Zone.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When deleting DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-376

    Summary

    Remote Stored XSS in WHM DNS Cleanup.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When cleaning up DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-377

    Summary

    Remote Stored XSS in WHM Synchronize DNS Records.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When syncing DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-378

    Summary

    Arbitrary file read and unlink via WHM style uploads.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.6 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

    Description

    A logic error in the handling of file uploads allowed attackers with the "manage-styles" ACL to read or unlink any file on the server with root's effective permissions.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-379

    Summary

    Local privilege escalation via WHM Legacy Language File Upload interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

    Description

    A logic error in the handling of file uploads allowed attackers with the "locale-edit" ACL to read, write and chmod files with root's effective permissions. A local attacker could misuse this behavior to run arbitrary code at the root user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-380

    Summary

    Local privilege escalation via WHM Locale XML Upload interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

    Description

    A logic error in the handling of file uploads allowed attackers with the "locale-edit" ACL to read, write and chmod files with root's effective permissions. A local attacker could misuse this behavior to run arbitrary code at the root user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-382

    Summary

    Jailshell breakout via incorrect crontab parsing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

    Description

    There was a mismatch between what the crontab daemon considers whitespace versus the validation applied against new cron entries. This allowed for an attacker to set entries to be run by an arbitrary shell resulting in escape from jailshell.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-391

    Summary

    Remote Stored XSS in cpaddons vendor interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When adding a 3rd party vendor to the cpaddons interface, the output was not properly escaped. This allowed remotely stored malicious files to execute arbitrary code in the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-392

    Summary

    Open redirect via /unprotected/redirect.html endpoint.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

    Description

    The redirect script present at /unprotected/redirect.html does not adequately validate the redirect path parameter. This allowed for a redirect to arbitrary URLs.

    Credits

    This issue was discovered by Georgi Vasilev of siteground.com.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-401

    Summary

    Htaccess restrictions bypass when "Htaccess Optimization" enabled.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    Description

    The "Htaccess Optimization" functionality introduced in cPanel & WHM version 66 allowed the bypassing of account suspensions and .htaccess based access controls with some configurations. This funtionality has been disabled and will be replaced with an alternative optimization method in a future update.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33

    SEC-405

    Summary

    Demo account code execution via cPanel Landing Page.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The app_name parameter used in the cPanel Landing Page template could be abused to additionally process a template controlled by a cPanel user. This can be used by demo accounts to execute arbitrary code.

    Credits

    This issue was discovered by Fabian Patrik of websafe.hu.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-406

    Summary

    Apache logs exposed by creation of certain domains.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

    Description

    A reseller could create a domain that would use and change ownership of already existing domain log files. These domains use the ".localhost" TLD. It is no longer possible to create a domain with the aforementioned TLD.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-410

    Summary

    Stored XSS in WHM Edit DNS Zone.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    When editing a DNS zone, error messages for a zone that can not be parsed correctly are returned to the user. These error messages are not sufficiently encoded. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-411

    Summary

    Email account suspensions can be applied to unowned accounts.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

    Description

    It was possible for a user to suspend or unsuspend email accounts they did not own by taking advantage of email account names that contained newlines.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-412

    Summary

    Stored XSS in WHM Reset a DNS Zone.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    When resetting a DNS zone, error messages for a zone that can not be parsed correctly are returned to the user. These error messages are not sufficiently encoded. This allowed arbitrary code to be injected into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33
    62.0.42

    SEC-371

    Summary

    Any user is able to shut down Solr.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

    Description

    The solr daemon stop key is passed to the daemon on the command line when it is started. This value is visible in the process listing when the daemon is running. Other users are able to see this, allowing a potential attacker to shutdown the daemon at any time.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.23
    68.0.33

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/03/TSR-2018-0002.disclosure.signed.txt
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    vacancy likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice