cPanel TSR-2019-0004 Full Disclosure

Status
Not open for further replies.

cPanelBenny

Community Team Manager, Development, dog scratcher
Apr 24, 2014
140
76
103
Michigan
cPanel Access Level
Root Administrator
Twitter
SEC-501

Summary

Demo account remote code execution via faulty URI dispatching.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Description

Errors in the dispatching logic for email autoconfiguration URIs allowed demo accounts to execute functions in the cpanel templating engine that are normally prohibited.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.80.0.22
11.78.0.34

SEC-504

Summary

Stored-XSS vulnerability in WHM Tomcat Manager interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

The status messages displayed when disabling Tomcat for a cPanel account were not adequately escaped. It was possible for the user to manipulate the content of these status messages. This allowed cPanel accounts to inject arbitrary HTML on the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34

SEC-506

Summary

Self XSS vulnerability in cPanel and webmail master templates.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

All cPanel and webmail interfaces include a username header at the top of the rendered pages. It was possible to manipulate what is displayed in this header by visiting certain non existent webmail accounts. This allowed arbitrary HTML to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34

SEC-507

Summary

Unauthenticated file creation vulnerability via Exim log parsing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Description

The cPanel Tailwatch daemon determines when to notify an account about excessive email sending by parsing the Exim log. It keeps track of which accounts have been notified using flag files. It was possible to inject data into the Exim log that would cause these flag files to be created in arbitrary locations.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34

SEC-510

Summary

Root MySQL password revealed to local accounts.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

A new MySQL password is generated and configured for the root account when no MySQL client configuration file is present during the installation of cPanel & WHM. The code to generate the new password was faulty, leaving some systems with root MySQL passwords that could be discovered by local attackers.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.2
11.80.0.22

SEC-512

Summary

Stored-XSS vulnerability in WHM Modify Account interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

The status messages displayed when modifying a cPanel account in WHM were not adequately escaped. It was possible for the cPanel account to manipulate the content of these status messages. This allowed an attacker to inject arbitrary HTML on the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34

SEC-514

Summary

Reseller package creation ACLs enforced incorrectly.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The "allow-parkedcreate" and "allow-addoncreate" reseller ACLs were not enforced correctly. This allowed a restricted reseller to create packages with parked and addon domain limits exceeding the reseller's configured limits.

Credits

This issue was discovered by Edwin F Sturt.

Solution

This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34

For the PGP-signed message, please see: http://news.cpanel.com/wp-content/uploads/2019/07/TSR-2019-0004.full_.disclosure.signed.txt.
 
Status
Not open for further replies.