cPanel TSR-2019-0002 Full Disclosure

cPanelBenny

Community Team Manager, Development, dog scratcher
Apr 24, 2014
140
76
103
Michigan
cPanel Access Level
Root Administrator
Twitter
cPanel TSR-2019-0002 Full Disclosure

SEC-477

Summary

Unsafe file operations as root in SSL certificate storage.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

The Cpanel::SSL::Objects::Certificate::File module creates a cache file when opening and reading an SSL certificate file. The Cpanel::SSLStorage module uses this to perform operations on SSL certificates stored in the user’s home directory as root. Because of this, it was possible for an attacker to overwrite and/or read root-owned files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67

SEC-479

Summary

Local root via userdata cache mis-parsing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

The userdata cache uses a custom delimiter separated format using “==“ as the delimiter. It is possible for the values in this file to contain this delimiter when written. When reading back this file, it is possible to cause other subsystems on the server into reading, writing, chmoding, and executing arbitrary files as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67

SEC-480

Summary

Code execution via addforward API1 call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The addforward API1 call modified the destination email address after validating that it did not include prohibited EXIM redirect router values. This behavior could be abused by webmail virtual accounts to run arbitrary code on the cPanel server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67

SEC-481

Summary

Unsafe terminal capabilities determination using infocmp.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

When generating formatted/colored text, the infocmp binary is called as root, which reads compiled terminfo files as root. This binary has its home directory set to /tmp. It was possible for a user to manipulate the terminfo files that infocmp processed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67

SEC-483

Summary

Open mail relay due to faulty domain redirect routing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Description

The EXIM configuration used for domain forwarders did not correctly escape the final destination address. This could be abused by unauthenticated remote attackers to relay email through the server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67

SEC-484

Summary

Limited file read as root via EXIM virtual_user_spam router.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Description

The EXIM configuration used for routing spam email addressed to virtual email account did not correctly escape the final destination address. This could be abused by cPanel accounts to read files on the system that were inaccessible to the cPanel user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67

SEC-487

Summary

Demo account code execution via securitypolicy.cgi.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The securitypolicy.cgi exists in the main docroot for cPanel and Webmail, and can be accessed by normal users. A user can supply POST data to this script that contains both security context and form data. This could be used to write arbitrary data to a demo account’s docroot.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67

SEC-493

Summary

Remote Stored XSS Vulnerability in BoxTrapper Queue Listing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The BoxTrapper_showqueue() API call provides a listing of email messages currently in the BoxTrapper queue. Subject headers displayed in this listing are HTML encoded before they are MIME decoded. This allowed for an attacker to inject arbitrary code into the displayed subject.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67

For the PGP-signed message, please see: TSR-2019-0002 Full Disclosure