Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel TSR-2019-0003 Full Disclosure

Discussion in 'cPanel Announcements' started by cPanelPhilH, May 21, 2019.

  1. cPanelPhilH

    cPanelPhilH Community Manager Staff Member

    Joined:
    Feb 6, 2019
    Messages:
    27
    Likes Received:
    8
    Trophy Points:
    78
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    Yesterday cPanel released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update.

    Information on cPanel’s security ratings is available at Security Levels - cPanel Knowledge Base - cPanel Documentation.

    If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

    SEC-486

    Summary

    Local code execution as other cPanel accounts via insecure cpphp execution.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

    Description

    Files with the 'cpphp' and 'php' file extensions inside cPanel themes are processed first by the cPanel tag parser engine, then by the php-cgi binary. During the secondary processing by the PHP engine, the working directory was switched to an insecure location that could contain malicious INI files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.80.0.5
    11.78.0.24

    SEC-489

    Summary

    Unsafe file operations as root via fetch_ssl_certificates_for_fqdns API.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

    Description

    The fetch_ssl_certificates_for_fqdns API call utilizes the Cpanel::SSL::Search::fetch_users_certificates_for_fqdns() function to search for and load SSL certificates for a user's domain from the user's home directory as the root user. During this process a cache file is created. Because of this, it was possible for an attacker to overwrite and/or read root-owned files.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.80.0.5
    11.78.0.24

    SEC-494

    Summary

    Queueprocd log is created with world readable permissions.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Description

    The process by which the queueprocd log is created was recently modified, causing it to be created with world-readable permissions. This log file could potentially contain sensitive information.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.80.0.5
    11.78.0.24

    SEC-495

    Summary

    API Analytics adminbin allows arbitrary data to be inserted into log.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Description

    The only restriction on data passed to the LOG_OPERATION function of the API Analytics adminbin is that it must not contain newlines, and must start and end with curly brackets. Any other arbitrary data could be written to this log file.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.80.0.5
    11.78.0.24

    SEC-496

    Summary

    Arbitrary file modification for demo accounts via extractfile API1 call.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    Description

    The Fileman::extractfile API1 function was incorrectly set to allow demo account access. This API call could be abused to modify any files in the demo account's home directory.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.80.0.5
    11.78.0.24

    SEC-498

    Summary

    Demo account code execution via ajax_maketext_syntax_util.pl.

    Security Rating

    cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

    Description

    The ACL and Demo check subroutine in ajax_maketext_syntax_util.pl was refactored to avoid use of the DEMO environment variable. This caused the script to allow execution when called by any cPanel user, including demo accounts. This could allow for execution of arbitrary code by demo account users.

    Credits

    This issue was discovered by the cPanel Security Team.

    Solution

    This issue is resolved in the following builds:
    11.80.0.5
    11.78.0.24



    For the PGP-signed message, please see: TSR-2019-0003 Full Disclosure.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice