Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2019-0001 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelBenny, Jan 22, 2019.

Thread Status:
Not open for further replies.
  1. cPanelBenny

    cPanelBenny Community Team Manager, Development, dog scratcher Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    123
    Likes Received:
    62
    Trophy Points:
    103
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yesterday we released new builds for versions 70, 76, and 78. These updates provided targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the updates that were included in these builds.


    SEC-415

    Summary

    Internal data disclosed to OpenID providers.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

    Description

    The "state" parameter passed to OpenID providers during OpenID authentication included connection information that was not necessary for the OpenID provider to authenticate the user. The connection state information is now stored in the user's session.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.2
    76.0.18
    70.0.63

    SEC-460

    Summary

    Demo accounts allowed to link with OpenID providers.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    cPanel and Webmail demo accounts are normally prevented from modifying their own authentication settings. This restriction was not enforced correctly during the initial OpenID handshake performed by cpsrvd. As a result, demo accounts could be linked with an OpenID provider from the login interfaces. Changelog: Demo accounts allowed to link with OpenID providers.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.2
    76.0.18
    70.0.63

    SEC-466

    Summary

    Arbitrary file read via Passenger adminbin.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    When setting up a new Passenger application, the configuration values passed in by the user are not adequately validated. This results in invalid values placed into the Apache configuration file. This can allow for arbitrary data to be read by the user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.2
    76.0.18
    70.0.63

    SEC-472

    Summary

    Maketext format string injection in Email "store_filter" UAPI.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    The Email "store_filter" UAPI call passes an error message directly as a Locale::Maketext format string. It is possible to craft a filter to manipulate this error message and execute arbitrary code. Changelog: Maketext format string injection in Email "store_filter" UAPI.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.2
    76.0.18

    SEC-473

    Summary

    Demo account limited arbitrary file write via DCV UAPI calls.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

    Description

    The "check_domains_via_http" and "ensure_domains_can_pass_dcv" UAPI calls in the module are allowed for demo accounts. These calls accept a filename, extension, and a set of allowed characters to write into the DCV file. A demo account can misuse this functionality to create files on the server with limited control over their contents. Changelog: Demo account limited arbitrary file write via DCV UAPI calls.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.2
    76.0.18
    70.0.63

    SEC-474

    Summary

    Maketext format string injection in DCV "check_domains_via_dns" UAPI.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    The DCV "check_domains_via_dns" UAPI call passes an error message directly as a Locale::Maketext format string. It is possible to insert data into the DCV file in order to manipulate this error message and execute arbitrary code.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.2
    76.0.18

    SEC-476

    Summary

    Limited file write as shared users during connection resets.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    During asynchronous HTTP connection resets, cpsrvd processed any pending POST data. In some scenarios, this would write files to a cPanel user's home directory with the wrong user and group IDs. Changelog: Limited file write as shared users during connection resets.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.2
    76.0.18
    70.0.63

    SEC-478

    Summary

    Userdata cache temporary file can conflict with domains.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    When rebuilding the userdata "cache.json" file, a temporary file is created using a non-reserved file extension. A user may create a domain with a name that conflicts with this file. This can corrupt or interrupt the proper operation of the cache file. Changelog: Userdata cache temporary file can conflict with domains.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.2
    76.0.18
    70.0.63


    For the PGP-signed message, please see TSR-2019-0001 Full Disclosure - signed.

    More Information
    To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the Product and Security updates mailing lists: cPanel Mailing List.

    For the PGP-signed message, please see TSR-2019-0001 Full Disclosure - signed.
     
    #1 cPanelBenny, Jan 22, 2019
    Last edited: Jan 23, 2019
Loading...
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice