Case 62230

Summary

Shell code injection via translatable phrases in Cpanel::Locale

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability.

Description

The Cpanel::Locale module wraps around Perl’s Locale::Maketext module and extends it to provide additional Maketext tags and functionality. Locale::Maketext is used to render translatable phrases into a user’s chosen locale. cPanel & WHM uses this module to display all translatable phrases in the cPanel, WHM and Webmail interfaces.

The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized userinput to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.