The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TSR 2013-0011 Full Disclosure

Discussion in 'cPanel Announcements' started by Infopro, Dec 19, 2013.

  1. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The following disclosures covers the Targeted Security Release 2013-0011.
    Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels

    _______________________________

    Case 60890

    Summary
    A reseller with limited privileges is allowed to install SSL virtualhosts on arbitrary IPs.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    A reseller account with ACL permission to install SSL certificates could install certificates and matching virtualhosts on IP addresses that belonged to accounts that did not belong to the reseller. This would allow a malicious reseller account to capture web traffic intended for other accounts on the system.

    Credits
    These issues were discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.36.2.10 & Greater

    The 11.38 and 11.40 releases of cPanel were not vulnerable to this issue due to unrelated changes in the SSL certificate management logic of cPanel & WHM.

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/


    _______________________________

    Case 63541

    Summary
    Arbitrary code execution via user supplied translatable phrases.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    Authenticated remote cPanel, WHM, and Webmail users have the ability to call API commands appropriate for their access level. Many API commands expand input arguments looking for translatable strings and other variable substitutions. It was found that the Locale::Maketext module, as used in cPanel's translation system, allowed callers to specify a custom failure handler via a crafted translation. A malicious authenticated user could leverage this flaw to execute arbitrary code with permissions that exceeded their normal access level.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 69517

    Summary
    World-writable Counter directory allowed arbitrary code execution.

    Security Rating
    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description
    An unnecessary directory at /usr/local/cpanel/share/Counter, installed by the wwwcount RPM provided with cPanel, retained world-writable permissions on some systems. The location of this directory inside of cPanel & WHM's trusted paths allowed a local attacker to load arbitrary code into cPanel processes under some circumstances.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 71125

    Summary
    Arbitrary file ownership change via cPanel branding system.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    A bug in the sprite generation code for the branding subsystem changed the ownership of files in paths under the reseller's control to the reseller's UID. The change in ownership was performed automatically during the nightly updates while running with the effective UID and GID of root. A malicious reseller account could leverage this flaw to take control of arbitrary files on the system.

    Credits
    These issues were discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.38.2.13 & Greater

    The 11.36 and 11.40 releases of cPanel were not vulnerable to this issue. The vulnerable functionality was introduced in cPanel & WHM's 11.38 release and fixed due to unrelated changes in the original releases of 11.40.

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 73125

    Summary
    After multiple security token failures, session credentials were not invalidated.

    Security Rating
    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description
    The security tokens used to prevent XSRF (Cross-Site Request Forgery) attacks were vulnerable to brute-force attempts due to a failure to limit the number of invalid token attempts. An attacker who could make a very large number of XSRF attempts could use this flaw in an attempt to brute force the security token.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 73193

    Summary
    Unsafe disclosure of security token during session based login.

    Security Rating
    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description
    The URL used to perform logins could return a valid security token with only a valid session identifier supplied instead of a username and password. An attacker with the ability to capture a valid session identifier could use this flaw to acquire a new, valid security token that could be used to authenticate with the captured credentials. Such an attack would additionally invalidate the existing token for that session.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 74333

    Summary
    The session credentials were disclosed during reseller override logins.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    The session cookie used by a reseller during a reseller override login to a cPanel account was disclosed to the cPanel account via the HTTP_COOKIE environment variable. A malicious local cPanel user could leverage this vulnerability to enter WHM using the reseller's captured credentials.

    Credits
    These issues were discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    The 11.40 release of cPanel was not vulnerable to this issue. The vulnerable functionality was fixed due to unrelated changes in the original releases of 11.40.

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 78045

    Summary
    Stored XSS vulnerability in WHM Daily Process Log screen.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    Output filtering in the WHM Daily Process Log interface did not properly sanitize the names of processes that caused high CPU load. A local attacker could create a process with a high load and a name containing malicious JavaScript intended to execute in the browser of any WHM account that viewed the daily process summary.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 78089

    Summary
    Password disclosure during forced cPAddons upgrade.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    A root or reseller account performing an upgrade of a cPanel account's cPAddons Site Software installations directly from WHM disclosed the REMOTE_PASSWORD environmental variable to the cPanel account under some circumstances. The variable was only disclosed when the "cgihidepass" TweakSetting was disabled on the server. By default, this TweakSetting is enabled.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 79277

    Summary
    Arbitrary file read vulnerability in WHM Edit DNS Zone interface.

    Security Rating
    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description
    The WHM Edit DNS Zone interface allowed parts of arbitrary files to be read through the error message produced when an $include DNS zone directive led to an invalidly-formatted file. With a specially crafted DNS zone entry, resellers with the "edit-dns" ACL could read parts of the contents of files accessible only to root from the output of that error message.

    Credits
    This issue was discovered by Rack911.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 80113

    Summary
    cPHulk injection via crafted SSH connections.

    Security Rating
    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description
    cPHulk, a service for preventing brute-force authentication attempts, was vulnerable to a protocol injection attack via specially crafted usernames during SSH authentication. This flaw would allow a remote unauthenticated attacker to block or unblock arbitrary IP addresses and accounts from connecting to all cPHulk-managed services on the system.

    Credits
    This issue was discovered by an anonymous researcher.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 80633

    Summary
    Arbitrary file write via X3 countedit.cgi.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    An obsolete version of the countedit.cgi script inside the cPanel X3 theme directory contained a path traversal vulnerability allowing arbitrary files to be written. This script was only executable by cPanel accounts that were configured to use a theme other than X3 or by cPanel accounts configured to use the X3 theme after a clone of the X3 theme was created by the system administrator. The obsolete copies of countedit.cgi and count.cgi inside the X3 theme directory have been removed.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 81373

    Summary
    Bandmin passwd file stored with world-readable permissions.

    Security Rating
    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description
    The permissions of the Bandmin password file were set to 0644 by default. This allowed any user on the system to read the username and hashed password required to view Bandmin's stored log data. The password stored in this file was encoded with DES-crypt.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 81377

    Summary
    Multiple XSS vulnerabilities found in Bandmin.

    Security Rating
    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description
    Multiple output filtering errors in the Bandmin bandwidth log viewer interface allowed JavaScript inputs to be returned to the browser without proper filtering. An attacker who could cause a user with permission to view bandwidth logs to visit a specially crafted URL could execute arbitrary JavaScript code in that user's browser.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 81429

    Summary
    URL filtering flaws allowed access to restricted resources.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    Flaws in the path resolution of URLs supplied to cpsrvd with HTTP requests allowed the bypassing of URL based access control checks in the cPanel, WHM, and Webmail interfaces. This allowed, for example, an attacker with credentials for a Webmail virtual account to access phpMyAdmin and phpPgAdmin with the privileges of the cPanel account that owned the Webmail account.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 81641

    Summary
    Path traversal flaw allows arbitrary code execution for restricted cPanel accounts.

    Security Rating
    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description
    Due to an incorrect ordering of input filters, the UI::dynamicincludelist and UI::includelist cPanel API 2 calls were vulnerable to a path traversal attack. A restricted cPanel account could leverage this flaw to read files or execute arbitrary code that other account restrictions, such as JailShell or demo mode, would normally prevent.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 81885

    Summary
    Multiple self-XSS vulnerabilities found in cPanel.

    Security Rating
    cPanel has assigned a Security Level of Minor to this vulnerability.

    Description
    Output filtering errors in the Manage Redirection functionality for Addon Domains and Subdomains, as well as the GnuPG Keys interfaces allowed JavaScript inputs to be returned to the browser without proper filtering.

    cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize this vulnerability must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

    Credits
    These issues were discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 82309

    Summary
    Insecure storage of Logaholic session files was found.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    Logaholic session files were stored in the world-writable /tmp directory. A local attacker with access to the cPanel Logaholic interfaces could create a session file in this directory with a crafted payload intended to execute arbitrary code as the cpanel-logaholic user as the session was loaded by the Logaholic interfaces inside cPanel. Logaholic now uses a non-world-writable directory for session data, and as a precaution, database caching.

    Credits
    This issue was discovered by Rack911.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 82725

    Summary
    XSS vulnerability found in YUI 2.

    Security Rating
    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description
    The uploader.swf file in YUI 2, which is included with cPanel & WHM, is vulnerable to an XSS attack due to insufficient filtering of inputs. This attack has been assigned CVE-2013-6780. All Flash files have been removed from the copy of YUI 2 shipped with cPanel & WHM, as they are unneeded. These files were accessible in the cPanel, WHM, and Webmail interfaces.

    Credits
    This issue was discovered upstream by a security researcher called @soiaxx.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 82733

    Summary
    Database grant files stored with world-readable permissions.

    Security Rating
    cPanel has assigned a Security Level of Important to this vulnerability.

    Description
    Changes to the functionality that stores data and cache files resulted in cPanel & WHM's files for storing database grants becoming world-readable. This flaw allowed all accounts on the system to access the MySQL and PostgreSQL grant statements for other cPanel users on the system. These grant statements contained MySQL and PostgreSQL usernames and hashed passwords.

    Credits
    This issue was discovered by Rack911.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater

    The 11.36 release of cPanel was not vulnerable to this issue.

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 83501

    Summary
    Disallow \g in MySQL GRANT statements during account restores.

    Security Rating
    cPanel has not assigned a Security Level to this issue.

    Description
    \g has been added to the list of disallowed strings for MySQL grant restores. We would like to stress that this does not make restoration of packages from untrusted sources safe.

    Credits
    This issue was reported by Rack911.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

    _______________________________

    Case 83929

    Summary
    A cross-account XSRF attack against reseller override logins was possible via goto_uri.

    Security Rating
    cPanel has assigned a Security Level of Moderate to this vulnerability.

    Description
    Reseller accounts that log into the cPanel accounts they own using resellers override authentication have the ability to switch back to WHM or switch to the cPanel interfaces for other cPanel accounts they own. This functionality goes through special /xfer URLs inside cpsrvd. The /xfer URLs also permit specifying an optional destination URL on the other side of the switch between accounts and interfaces though a "goto_uri" query parameter. A malicious cPanel user could conduct XSRF attacks against a reseller logged into their account to combine an /xfer to a different account with a goto_uri destination that caused configuration changes inside the other account. This vulnerability has been addressed by limiting use of the goto_uri parameter to account and interface switches where privileges are being lowered.

    Credits
    This issue was discovered by the cPanel Security Team.

    Solution
    This issue is resolved in the following builds:

    * 11.40.1.3 & Greater
    * 11.40.0.29 & Greater
    * 11.38.2.13 & Greater
    * 11.36.2.10 & Greater

    Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/


    _______________________________

    Questions?: Complimentary support is available to all license holders: Submit a request here.
     
Loading...

Share This Page