C
cPanelUser-Inactive
Guest
cPanel TSR-2019-0002 Full Disclosure
SEC-477
Summary
Unsafe file operations as root in SSL certificate storage.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
The Cpanel::SSL::Objects::Certificate::File module creates a cache file when opening and reading an SSL certificate file. The Cpanel::SSLStorage module uses this to perform operations on SSL certificates stored in the user’s home directory as root. Because of this, it was possible for an attacker to overwrite and/or read root-owned files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-479
Summary
Local root via userdata cache mis-parsing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
The userdata cache uses a custom delimiter separated format using “==“ as the delimiter. It is possible for the values in this file to contain this delimiter when written. When reading back this file, it is possible to cause other subsystems on the server into reading, writing, chmoding, and executing arbitrary files as root.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-480
Summary
Code execution via addforward API1 call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The addforward API1 call modified the destination email address after validating that it did not include prohibited EXIM redirect router values. This behavior could be abused by webmail virtual accounts to run arbitrary code on the cPanel server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-481
Summary
Unsafe terminal capabilities determination using infocmp.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
When generating formatted/colored text, the infocmp binary is called as root, which reads compiled terminfo files as root. This binary has its home directory set to /tmp. It was possible for a user to manipulate the terminfo files that infocmp processed.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-483
Summary
Open mail relay due to faulty domain redirect routing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Description
The EXIM configuration used for domain forwarders did not correctly escape the final destination address. This could be abused by unauthenticated remote attackers to relay email through the server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-484
Summary
Limited file read as root via EXIM virtual_user_spam router.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Description
The EXIM configuration used for routing spam email addressed to virtual email account did not correctly escape the final destination address. This could be abused by cPanel accounts to read files on the system that were inaccessible to the cPanel user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-487
Summary
Demo account code execution via securitypolicy.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The securitypolicy.cgi exists in the main docroot for cPanel and Webmail, and can be accessed by normal users. A user can supply POST data to this script that contains both security context and form data. This could be used to write arbitrary data to a demo account’s docroot.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-493
Summary
Remote Stored XSS Vulnerability in BoxTrapper Queue Listing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The BoxTrapper_showqueue() API call provides a listing of email messages currently in the BoxTrapper queue. Subject headers displayed in this listing are HTML encoded before they are MIME decoded. This allowed for an attacker to inject arbitrary code into the displayed subject.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
For the PGP-signed message, please see: TSR-2019-0002 Full Disclosure
SEC-477
Summary
Unsafe file operations as root in SSL certificate storage.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
The Cpanel::SSL::Objects::Certificate::File module creates a cache file when opening and reading an SSL certificate file. The Cpanel::SSLStorage module uses this to perform operations on SSL certificates stored in the user’s home directory as root. Because of this, it was possible for an attacker to overwrite and/or read root-owned files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-479
Summary
Local root via userdata cache mis-parsing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
The userdata cache uses a custom delimiter separated format using “==“ as the delimiter. It is possible for the values in this file to contain this delimiter when written. When reading back this file, it is possible to cause other subsystems on the server into reading, writing, chmoding, and executing arbitrary files as root.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-480
Summary
Code execution via addforward API1 call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The addforward API1 call modified the destination email address after validating that it did not include prohibited EXIM redirect router values. This behavior could be abused by webmail virtual accounts to run arbitrary code on the cPanel server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-481
Summary
Unsafe terminal capabilities determination using infocmp.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
When generating formatted/colored text, the infocmp binary is called as root, which reads compiled terminfo files as root. This binary has its home directory set to /tmp. It was possible for a user to manipulate the terminfo files that infocmp processed.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-483
Summary
Open mail relay due to faulty domain redirect routing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Description
The EXIM configuration used for domain forwarders did not correctly escape the final destination address. This could be abused by unauthenticated remote attackers to relay email through the server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-484
Summary
Limited file read as root via EXIM virtual_user_spam router.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Description
The EXIM configuration used for routing spam email addressed to virtual email account did not correctly escape the final destination address. This could be abused by cPanel accounts to read files on the system that were inaccessible to the cPanel user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-487
Summary
Demo account code execution via securitypolicy.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The securitypolicy.cgi exists in the main docroot for cPanel and Webmail, and can be accessed by normal users. A user can supply POST data to this script that contains both security context and form data. This could be used to write arbitrary data to a demo account’s docroot.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
SEC-493
Summary
Remote Stored XSS Vulnerability in BoxTrapper Queue Listing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The BoxTrapper_showqueue() API call provides a listing of email messages currently in the BoxTrapper queue. Subject headers displayed in this listing are HTML encoded before they are MIME decoded. This allowed for an attacker to inject arbitrary code into the displayed subject.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
78.0.18
76.0.21
70.0.67
For the PGP-signed message, please see: TSR-2019-0002 Full Disclosure