Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2018-0003 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, May 22, 2018.

  1. cPanelJackson

    cPanelJackson Release Manager
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    42
    Likes Received:
    11
    Trophy Points:
    133
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2018-0003 Full Disclosure

    SEC-393

    Summary

    API tokens retain ACLs that are removed from accounts.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

    Description

    Starting with cPanel & WHM version 68, it became possible to limit the authorizations of a WHM API token to a subset of the ACLs assigned to the reseller account. The logic that implemented this behavior did not restrict API tokens to the ACLs that were currently assigned to the reseller account. This allowed a reseller to retain access to an ACL after the ACL was removed from the reseller's account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39

    SEC-394

    Summary

    Stored code execution injections in WHM cPAddons interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L

    Description

    The cpaddons_report.pl script escaped user provided data with incorrect escaping functions in several places. This allowed cPanel users to cause unintended actions when the server administrator clicked links in the WHM cPaddons interfaces.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-395

    Summary

    Arbitrary file unlink via cPAddons moderation system.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

    Description

    When the server administrator approves or denies a moderated cPAddons install, the moderation request file stored in the user's home directory is removed. The file removal was performed with root privileges and could be misused by a local attacker to delete arbitrary files on the system.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-396

    Summary

    Email injection in cPAddons moderation.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

    Description

    The cPAddons moderation script did not adequately validate email addresses provided by the user when handling cPAddons moderation requests. This allowed an attacker to inject arbitrary header data into the moderation response email.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-398

    Summary

    Remote-Stored XSS in WHM cPAddons installation interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    When installing a cPAddon in WHM the output was not properly escaped. This allowed an attacker to execute arbitrary code in the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-399

    Summary

    Remote-stored XSS in YUM autorepair functionality.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    The EasyApache 3 build process attempts an automatic repair of the system's YUM configuration if it appears broken. While downloading a replacement Yum repo file, error messages generated by the remote server were displayed to the user without context appropriate escaping. This allowed an attacker to insert arbitrary HTML into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-400

    Summary

    Remote-Stored XSS in WHM Save Theme Interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    During the download of cPanel-provided themes it was possible for attacker to inject arbitrary HTML into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-408

    Summary

    ClamAV installation reveals the contents of root's crontab.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

    Description

    When installing the ClamAV plugin, cron entries are added to root’s crontab to refresh the ClamAV virus database. This modification used a world-readable temporary file, allowing unprivileged users to read the contents of root’s crontab.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-421

    Summary

    Self-XSS in WHM Backup Configuration interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    The backup destination validation alerts did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43

    SEC-427

    Summary

    Cron feature restriction not enforced for API calls.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    cPanel accounts without the "Cron" feature were allowed to view and manipulate cron by calling the Cron APIs and adminbins directly.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-429

    Summary

    Backup feature restriction not enforced for API calls.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

    Description

    The "backupwizard" feature was removed from cPanel & WHM because it duplicated the role of the "backup" feature. When this feature was removed, the API calls that required either of the "backup" or "backupwizard" features became accessible to all users.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-430

    Summary

    Images feature restriction not enforced for API calls.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    The "Images" feature that is used to control visibility of the "Images" icon in the cPanel interface was checked in an incorrect fashion by the API1 functions that perfom image modifications.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-432

    Summary

    Cpanel Mime::list_hotlinks API feature restriction not enforced.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    The Mime::list_hotlinks API did not check the correct feature list item. This allowed users without the appropriate feature to access the API.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    SEC-435

    Summary

    Arbitrary file read in pkgacct custom template handling.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    It was possible to add arbitrary files, normally unreadable by unprivileged users, to a backup created by pkgacct by adding a custom Apache vhost template to unrelated files within the userdata directory.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    70.0.43
    68.0.39
    62.0.47

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/05/TSR-2018-0003.disclosure.signed.txt
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice