Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2018-0004 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Jul 17, 2018.

  1. cPanelJackson

    cPanelJackson Release Manager
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    40
    Likes Received:
    11
    Trophy Points:
    133
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2018-0004 Full Disclosure

    SEC-367

    Summary

    Stored-XSS in WHM File Restoration interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    Filenames containing AngularJS markup were interpolated into angular-growl format strings. These format strings were then interpolated a second time before being used in growl notifications. This allowed cPanel users to insert XSS payloads into the WHM File Restoration interface.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-416

    Summary

    Apache configuration injection due to document root variable interpolation.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

    Description

    Subdomain document root paths were allowed with Apache variable interpolation syntax. Under some conditions, malicious cPanel users could misuse this behavior to inject arbitrary Apache directives into the web server's configuration.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-418

    Summary

    Insecure storage of phpMyAdmin session files.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

    Description

    Due to a misconfiguration of phpMyAdmin's php.ini file, the /tmp directory was used for session files storage. Local attackers could misuse this behavior to execute arbitrary code as the shared cpanelphpmyadmin user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-420

    Summary

    SQL injection during database backups.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

    Description

    The cPanel backup process creates temporary data as part of backing up a database. The format of this data was vulnerable to manipulation by the backed up database names. This allowed an attacker to execute arbitrary SQL commands with the root account's MySQL permissions.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-424

    Summary

    File modification as root via faulty HTTP authentication.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

    Description

    When logging in via HTTP Basic Authentication, the REMOTE_USER environment variable is set from the username. By inserting null characters into the username, it was possible to truncate the environment variable when it is passed to subprocesses. This allowed local attackers to modify files as the root user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-425

    Summary

    Limited file read via password file caching.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

    Description

    When logging in as a webmail user, cpsrvd reads the password and cache files located in the user’s home directory as root. It was possible to cause this to read arbitrary files on the system and write back a limited amount of data to theuser’s home directory.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-426

    Summary

    Arbitrary zonefile modifications allowed during record edits.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    The types of DNS zone records that a cPanel user may add, delete, or edit are limited by the feature settings for the account. During zonefile edits, the new type of an edited record was not validated as a permitted record type for the user. This allowed cPanel users with the "changemx", "simplezoneedit", or "zoneedit" features to make arbitrary changes to zone files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-436

    Summary

    Arbitrary file read during File Restoration.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.9 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

    Description

    When using the "File Restoration" feature on an incremental backup, it incorrectly translated tar escape sequences in filenames. This allowed an attacker to read arbitrary files on the system as root.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-439

    Summary

    Arbitrary zonefile modifications due to faulty CAA record handling.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    cPanel accounts with the "zoneedit" feature are allowed to create and modify CAA DNS records. The validator for new CAA records allowed several types of injections that would split a single CAA record entry into multiple DNS records witharbitrary content.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-442

    Summary

    File rename vulnerability during account renames.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

    Description

    While renaming cPanel accounts, the security policy data files stored in the user's home directory were renamed with root permissions. This allowed malicious resellers with the Account Modification privilege to rename arbitrary files on the system.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    72.0.10
    70.0.53

    SEC-443

    Summary

    Website contents accessible to local attackers through git repos.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    Description

    The Git Version Control functionality in cPanel relied on the git binary to create the directories for git repos. The git binary created these directories with very open (0755) permissions, allowing other accounts on the system to examine the contents of the files in the repo. This functionality has been changed to create repo directories with 0700 permissions if the directory does not already exist.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    72.0.10

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/07/TSR-2018-0004.disclosure.signed.txt
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice