Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
The following disclosures covers the Targeted Security Release 2013-0011.
Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels

_______________________________

Case 60890

Summary
A reseller with limited privileges is allowed to install SSL virtualhosts on arbitrary IPs.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
A reseller account with ACL permission to install SSL certificates could install certificates and matching virtualhosts on IP addresses that belonged to accounts that did not belong to the reseller. This would allow a malicious reseller account to capture web traffic intended for other accounts on the system.

Credits
These issues were discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.36.2.10 & Greater

The 11.38 and 11.40 releases of cPanel were not vulnerable to this issue due to unrelated changes in the SSL certificate management logic of cPanel & WHM.

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/


_______________________________

Case 63541

Summary
Arbitrary code execution via user supplied translatable phrases.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
Authenticated remote cPanel, WHM, and Webmail users have the ability to call API commands appropriate for their access level. Many API commands expand input arguments looking for translatable strings and other variable substitutions. It was found that the Locale::Maketext module, as used in cPanel's translation system, allowed callers to specify a custom failure handler via a crafted translation. A malicious authenticated user could leverage this flaw to execute arbitrary code with permissions that exceeded their normal access level.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 69517

Summary
World-writable Counter directory allowed arbitrary code execution.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
An unnecessary directory at /usr/local/cpanel/share/Counter, installed by the wwwcount RPM provided with cPanel, retained world-writable permissions on some systems. The location of this directory inside of cPanel & WHM's trusted paths allowed a local attacker to load arbitrary code into cPanel processes under some circumstances.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 71125

Summary
Arbitrary file ownership change via cPanel branding system.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
A bug in the sprite generation code for the branding subsystem changed the ownership of files in paths under the reseller's control to the reseller's UID. The change in ownership was performed automatically during the nightly updates while running with the effective UID and GID of root. A malicious reseller account could leverage this flaw to take control of arbitrary files on the system.

Credits
These issues were discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.38.2.13 & Greater

The 11.36 and 11.40 releases of cPanel were not vulnerable to this issue. The vulnerable functionality was introduced in cPanel & WHM's 11.38 release and fixed due to unrelated changes in the original releases of 11.40.

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 73125

Summary
After multiple security token failures, session credentials were not invalidated.

Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.

Description
The security tokens used to prevent XSRF (Cross-Site Request Forgery) attacks were vulnerable to brute-force attempts due to a failure to limit the number of invalid token attempts. An attacker who could make a very large number of XSRF attempts could use this flaw in an attempt to brute force the security token.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 73193

Summary
Unsafe disclosure of security token during session based login.

Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.

Description
The URL used to perform logins could return a valid security token with only a valid session identifier supplied instead of a username and password. An attacker with the ability to capture a valid session identifier could use this flaw to acquire a new, valid security token that could be used to authenticate with the captured credentials. Such an attack would additionally invalidate the existing token for that session.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 74333

Summary
The session credentials were disclosed during reseller override logins.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
The session cookie used by a reseller during a reseller override login to a cPanel account was disclosed to the cPanel account via the HTTP_COOKIE environment variable. A malicious local cPanel user could leverage this vulnerability to enter WHM using the reseller's captured credentials.

Credits
These issues were discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

The 11.40 release of cPanel was not vulnerable to this issue. The vulnerable functionality was fixed due to unrelated changes in the original releases of 11.40.

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 78045

Summary
Stored XSS vulnerability in WHM Daily Process Log screen.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
Output filtering in the WHM Daily Process Log interface did not properly sanitize the names of processes that caused high CPU load. A local attacker could create a process with a high load and a name containing malicious JavaScript intended to execute in the browser of any WHM account that viewed the daily process summary.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 78089

Summary
Password disclosure during forced cPAddons upgrade.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
A root or reseller account performing an upgrade of a cPanel account's cPAddons Site Software installations directly from WHM disclosed the REMOTE_PASSWORD environmental variable to the cPanel account under some circumstances. The variable was only disclosed when the "cgihidepass" TweakSetting was disabled on the server. By default, this TweakSetting is enabled.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 79277

Summary
Arbitrary file read vulnerability in WHM Edit DNS Zone interface.

Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.

Description
The WHM Edit DNS Zone interface allowed parts of arbitrary files to be read through the error message produced when an $include DNS zone directive led to an invalidly-formatted file. With a specially crafted DNS zone entry, resellers with the "edit-dns" ACL could read parts of the contents of files accessible only to root from the output of that error message.

Credits
This issue was discovered by Rack911.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 80113

Summary
cPHulk injection via crafted SSH connections.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
cPHulk, a service for preventing brute-force authentication attempts, was vulnerable to a protocol injection attack via specially crafted usernames during SSH authentication. This flaw would allow a remote unauthenticated attacker to block or unblock arbitrary IP addresses and accounts from connecting to all cPHulk-managed services on the system.

Credits
This issue was discovered by an anonymous researcher.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 80633

Summary
Arbitrary file write via X3 countedit.cgi.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
An obsolete version of the countedit.cgi script inside the cPanel X3 theme directory contained a path traversal vulnerability allowing arbitrary files to be written. This script was only executable by cPanel accounts that were configured to use a theme other than X3 or by cPanel accounts configured to use the X3 theme after a clone of the X3 theme was created by the system administrator. The obsolete copies of countedit.cgi and count.cgi inside the X3 theme directory have been removed.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 81373

Summary
Bandmin passwd file stored with world-readable permissions.

Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.

Description
The permissions of the Bandmin password file were set to 0644 by default. This allowed any user on the system to read the username and hashed password required to view Bandmin's stored log data. The password stored in this file was encoded with DES-crypt.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 81377

Summary
Multiple XSS vulnerabilities found in Bandmin.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
Multiple output filtering errors in the Bandmin bandwidth log viewer interface allowed JavaScript inputs to be returned to the browser without proper filtering. An attacker who could cause a user with permission to view bandwidth logs to visit a specially crafted URL could execute arbitrary JavaScript code in that user's browser.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 81429

Summary
URL filtering flaws allowed access to restricted resources.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
Flaws in the path resolution of URLs supplied to cpsrvd with HTTP requests allowed the bypassing of URL based access control checks in the cPanel, WHM, and Webmail interfaces. This allowed, for example, an attacker with credentials for a Webmail virtual account to access phpMyAdmin and phpPgAdmin with the privileges of the cPanel account that owned the Webmail account.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 81641

Summary
Path traversal flaw allows arbitrary code execution for restricted cPanel accounts.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
Due to an incorrect ordering of input filters, the UI::dynamicincludelist and UI::includelist cPanel API 2 calls were vulnerable to a path traversal attack. A restricted cPanel account could leverage this flaw to read files or execute arbitrary code that other account restrictions, such as JailShell or demo mode, would normally prevent.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 81885

Summary
Multiple self-XSS vulnerabilities found in cPanel.

Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.

Description
Output filtering errors in the Manage Redirection functionality for Addon Domains and Subdomains, as well as the GnuPG Keys interfaces allowed JavaScript inputs to be returned to the browser without proper filtering.

cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize this vulnerability must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

Credits
These issues were discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 82309

Summary
Insecure storage of Logaholic session files was found.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
Logaholic session files were stored in the world-writable /tmp directory. A local attacker with access to the cPanel Logaholic interfaces could create a session file in this directory with a crafted payload intended to execute arbitrary code as the cpanel-logaholic user as the session was loaded by the Logaholic interfaces inside cPanel. Logaholic now uses a non-world-writable directory for session data, and as a precaution, database caching.

Credits
This issue was discovered by Rack911.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 82725

Summary
XSS vulnerability found in YUI 2.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
The uploader.swf file in YUI 2, which is included with cPanel & WHM, is vulnerable to an XSS attack due to insufficient filtering of inputs. This attack has been assigned CVE-2013-6780. All Flash files have been removed from the copy of YUI 2 shipped with cPanel & WHM, as they are unneeded. These files were accessible in the cPanel, WHM, and Webmail interfaces.

Credits
This issue was discovered upstream by a security researcher called @soiaxx.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 82733

Summary
Database grant files stored with world-readable permissions.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
Changes to the functionality that stores data and cache files resulted in cPanel & WHM's files for storing database grants becoming world-readable. This flaw allowed all accounts on the system to access the MySQL and PostgreSQL grant statements for other cPanel users on the system. These grant statements contained MySQL and PostgreSQL usernames and hashed passwords.

Credits
This issue was discovered by Rack911.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater

The 11.36 release of cPanel was not vulnerable to this issue.

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 83501

Summary
Disallow \g in MySQL GRANT statements during account restores.

Security Rating
cPanel has not assigned a Security Level to this issue.

Description
\g has been added to the list of disallowed strings for MySQL grant restores. We would like to stress that this does not make restoration of packages from untrusted sources safe.

Credits
This issue was reported by Rack911.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

_______________________________

Case 83929

Summary
A cross-account XSRF attack against reseller override logins was possible via goto_uri.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
Reseller accounts that log into the cPanel accounts they own using resellers override authentication have the ability to switch back to WHM or switch to the cPanel interfaces for other cPanel accounts they own. This functionality goes through special /xfer URLs inside cpsrvd. The /xfer URLs also permit specifying an optional destination URL on the other side of the switch between accounts and interfaces though a "goto_uri" query parameter. A malicious cPanel user could conduct XSRF attacks against a reseller logged into their account to combine an /xfer to a different account with a goto_uri destination that caused configuration changes inside the other account. This vulnerability has been addressed by limiting use of the goto_uri parameter to account and interface switches where privileges are being lowered.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:

* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/


_______________________________

Questions?: Complimentary support is available to all license holders: Submit a request here.