The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Important: cPanel Security Disclosure TSR-2013-0007

Discussion in 'cPanel Announcements' started by Infopro, Jun 27, 2013.

  1. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The following disclosure covers the Targeted Security Release 2013-06-26.
    Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels

    _______________________________

    Case 71193

    Summary
    Local cPanel users are able to take over ownership of any file or directory on the system.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. During the preparatory steps for archiving, Cpanel::Logs::prep_logs_path performs a variety of checks to ensure a proper operating environment exists. A number of these checks are performed by a root-privileged process on files and directories in a user’s home directory. A malicious user could take advantage of this behavior to take ownership of important files on the same file system as his home directory.

    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.38.1.4 and greater
    * 11.38.0.19 and greater
    * 11.36.1.9 and greater
    * 11.34.1.17 and greater
    * 11.32.6.8 and greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at Downloads - cPanel Inc..

    _______________________________

    Case 71109

    Summary
    Local cPanel users are able to take over ownership of any file or directory on the system.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. When cpanellogd creates these archives, some operations are performed by a root-privileged process in the user’s home directory. Through the use of a carefully crafted hard link a malicious user could take advantage of this behavior to take ownership of any file on the same file system as his home directory.

    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.38.1.4 and greater
    * 11.38.0.19 and greater
    * 11.36.1.9 and greater
    * 11.34.1.17 and greater
    * 11.32.6.8 and greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at Downloads - cPanel Inc..

    _______________________________

    Questions?: Complimentary support is available to all license holders: Submit a request here.
     
Loading...

Share This Page