Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2018-0005 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelJackson, Sep 18, 2018.

  1. cPanelJackson

    cPanelJackson Release Manager
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    40
    Likes Received:
    11
    Trophy Points:
    133
    cPanel Access Level:
    Root Administrator
    cPanel TSR-2018-0005 Full Disclosure

    SEC-409

    Summary

    ClamAV daemon can be shut off by any local user.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

    Description

    The userspace socket file for the clamd daemon has open permissions for necessary communication with userspace scanning functionality in cPanel. However, this socket also accepts the SHUTDOWN command which allowed unprivileged users to shut down the ClamAV daemon.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-428

    Summary

    Self-XSS in WHM 'Create a New Account' interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    Errors encountered in the zone template during account creation did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-433

    Summary

    Self-XSS in WHM 'Security Questions' interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

    Description

    User supplied parameters for the WHM 'Security Questions' interface are displayed without context appropriate escaping. This allowed for an attacker to inject arbitrary code into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-434

    Summary

    Self-XSS in cPanel 'Site Software Moderation' interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

    Description

    Certain user supplied parameters displayed as part of the cPanel 'Site Software Moderation' interface are displayed without context appropriate escaping. This allowed an attacker to inject arbitrary code into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-437

    Summary

    Self-XSS in WHM 'Style Upload' interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

    Description

    When using the Customization interface in WHM, error messages displaying user-supplied input are rendered without context appropriate escaping. This allowed an attacker to inject arbitrary code into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-441

    Summary

    Actively stored XSS in WHM 'File and Directory Restoration' interface.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    During file and directory restoration operations, a cPanel user was able to intercept json-api requests made by the WHM reseller and send back corrupted json-api responses. These corrupted API responses were displayed without appropriate escaping, allowing the cPanel user to insert HTML into the reseller's web interface.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-444

    Summary

    Demo account code execution via Fileman::viewfile API.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    When calling the Fileman::viewfile API on an RPM file, the rpm utility is called to display information about the file. Arguments are passed incorrectly to the rpm utility. This allowed for a demo account user to run arbitrary code as the demo user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-445

    Summary

    Invalid email_accounts.json prevents full account suspension.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

    Description

    When a user's email_accounts.json file is corrupted, the suspend script generates an exception. This causes the script to fail before the full suspend process can be completed. A user could take advantage of this in order to prevent full suspension of their account.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-446

    Summary

    Self-Stored XSS on 'Security Questions' login page.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

    Description

    A reseller with 'all' privileges can set security questions and answers for verification when logins occur from an unrecognized IP address. These questions and answers are displayed without context appropriate escaping, which allowed an attacker to inject arbitrary code into the rendered page.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-447

    Summary

    Arbitrary file write as root in WHM 'Force Password Change'.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H

    Description

    A recent refactoring in the WHM 'Force Password Change' subsystem caused a user-controlled file to be written to with root's effective permissions. This allowed an attacker to overwrite arbitrary files on the system.

    Credits

    This issue was discovered by rack911labs.com.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    SEC-449

    Summary

    FTP access allowed during account suspension.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

    Description

    When the system was configured with ProFTPd as the FTP daemon, suspending a cPanel account did not disable FTP access for the account.

    Credits

    This issue was discovered by Harry Li from GoDaddy.

    Solution

    This issue is resolved in the following builds:
    74.0.8
    70.0.57

    For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/09/TSR-2018-0005.disclosure.signed.txt
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice