cPanel TSR-2022-0005 Full Disclosure

Status
Not open for further replies.

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
cPanel TSR-2022-0005 Full Disclosure

SEC-661

Summary

Fix test used by cpsrvd to check for PHP.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.1 CVSS3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H

Description

The test to refuse to run a PHP page for resellers logged into WHM wasn't checking for the case where extra path info is added after the php extension, causing it to be run by the CGI handler.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25

SEC-662

Summary

Fix HttpRequest to not write to user home directories as root.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 9.0 CVSS3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H

Description

The DNS caching mechanism used in Cpanel::HttpRequest would use $Cpanel::homedir has the directory in which to store its data. There are times, like when a reseller is invokes get_update_availability, when $Cpanel::homedir is set to the reseller's home directory while the process is running as root. There is no reason to favor $Cpanel::homedir over using the home directory of the effective user. If we are running as root, we should write the DNS cache data under the /root directory.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25

SEC-665

Summary

Fix arbitrary file read in zone admin bin.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The problem here is two-fold. First: the SWAP_IP_IN_ZONES function in the zone admin bin needs to validate the IP addresses passed into it. This will prevent attackers from using the function to pass bogus "includes" into the zone file. Second: When evaluating the "includes" while parsing the zone file, we should drop privileges to that of the domain owner. If a domain owner does not have privileges to read a file, they should not be able to include it in their zone file.

Credits

This issue was discovered by John Lightsey: <[email protected]>.

Solution

This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25

SEC-666

Summary

Fix maketext format string injection.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

In some circumstances maketext was vulnerable to string injections. Resolved those by not giving the stings any special processing.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25

SEC-667

Summary

Ensure SET_SERVICE_PROXY_BACKENDS passes the caller for the username.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

SET_SERVICE_PROXY_BACKENDS was passing a hash to set_backends_and_update_services which combined a key/value pair username/<calling user> with hash of the parameters passed into the function. If that hash had a different value set for the username key, then it would overwrite setting the calling user to be the username passed onto set_backends_and_update_services. This could allow a non-root user to set the username parameter to anything: another user, or, as illustrated in this case, a path traversal used for a security exploit. Set the value for the username key in the parameters hash to be the calling user account name. This will overwrite the value in the hash if it was already set and ensure the intended user name is passed on.

Credits

This issue was discovered by John Lightsey <[email protected]>.

Solution

This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25
 
Status
Not open for further replies.