Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2019-0002 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelBenny, Mar 19, 2019.

Tags:
  1. cPanelBenny

    cPanelBenny Community Team Manager, Development, dog scratcher Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    130
    Likes Received:
    66
    Trophy Points:
    103
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    cPanel TSR-2019-0002 Full Disclosure

    SEC-477

    Summary

    Unsafe file operations as root in SSL certificate storage.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    The Cpanel::SSL::Objects::Certificate::File module creates a cache file when opening and reading an SSL certificate file. The Cpanel::SSLStorage module uses this to perform operations on SSL certificates stored in the user’s home directory as root. Because of this, it was possible for an attacker to overwrite and/or read root-owned files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.18
    76.0.21
    70.0.67

    SEC-479

    Summary

    Local root via userdata cache mis-parsing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    Description

    The userdata cache uses a custom delimiter separated format using “==“ as the delimiter. It is possible for the values in this file to contain this delimiter when written. When reading back this file, it is possible to cause other subsystems on the server into reading, writing, chmoding, and executing arbitrary files as root.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.18
    76.0.21
    70.0.67

    SEC-480

    Summary

    Code execution via addforward API1 call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The addforward API1 call modified the destination email address after validating that it did not include prohibited EXIM redirect router values. This behavior could be abused by webmail virtual accounts to run arbitrary code on the cPanel server.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.18
    76.0.21
    70.0.67

    SEC-481

    Summary

    Unsafe terminal capabilities determination using infocmp.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    When generating formatted/colored text, the infocmp binary is called as root, which reads compiled terminfo files as root. This binary has its home directory set to /tmp. It was possible for a user to manipulate the terminfo files that infocmp processed.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.18
    76.0.21
    70.0.67

    SEC-483

    Summary

    Open mail relay due to faulty domain redirect routing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    Description

    The EXIM configuration used for domain forwarders did not correctly escape the final destination address. This could be abused by unauthenticated remote attackers to relay email through the server.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.18
    76.0.21
    70.0.67

    SEC-484

    Summary

    Limited file read as root via EXIM virtual_user_spam router.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

    Description

    The EXIM configuration used for routing spam email addressed to virtual email account did not correctly escape the final destination address. This could be abused by cPanel accounts to read files on the system that were inaccessible to the cPanel user.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.18
    76.0.21
    70.0.67

    SEC-487

    Summary

    Demo account code execution via securitypolicy.cgi.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The securitypolicy.cgi exists in the main docroot for cPanel and Webmail, and can be accessed by normal users. A user can supply POST data to this script that contains both security context and form data. This could be used to write arbitrary data to a demo account’s docroot.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.18
    76.0.21
    70.0.67

    SEC-493

    Summary

    Remote Stored XSS Vulnerability in BoxTrapper Queue Listing.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description

    The BoxTrapper_showqueue() API call provides a listing of email messages currently in the BoxTrapper queue. Subject headers displayed in this listing are HTML encoded before they are MIME decoded. This allowed for an attacker to inject arbitrary code into the displayed subject.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    78.0.18
    76.0.21
    70.0.67

    For the PGP-signed message, please see: TSR-2019-0002 Full Disclosure
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice