Newsroom

cPanel TSR-2017-0003 Full Disclosure

cPanel TSR-2017-0003 Full Disclosure

SEC-234

Summary

Horde MySQL to SQLite conversion can leak database password.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

If the Horde MySQL to SQLite conversion script requires a password reset on the MySQL database, the new password was passed to the reset script as a command line argument. This password was visible to possible attackers in a `ps` process listing.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-236

Summary

Code execution for webmail and demo accounts with the store_filter API call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

Webmail and demo accounts are normally not allowed to perform code execution on a system. It was possible to circumvent this protection using the store_filter API call.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-237

Summary

Code execution as root via SET_VHOST_LANG_PACKAGE multilang adminbin call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The SET_VHOST_LANG_PACKAGE command of the multilang adminbin did not adequately validate the package parameter passed to it. An attacker could pass in an arbitrary PHP package value, which allowed for arbitrary code to run as the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-238

Summary

Demo account code execution with BoxTrapper API.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

It was possible to use the BoxTrapper API as a demo user to upload files and execute them. The BoxTrapper API now forbids use by demo users.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-239

Summary

Demo account file read vulnerability in Fileman::getfileactions API2 call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.5 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

The Fileman::getfileactions API2 call allowed demo accounts users to read the contents of arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-240

Summary

Webmail account arbitrary code execution via forwarders.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

The cPanel API calls that allow modification of an account’s email forwarding settings did not properly sanitize the forwarding options that were provided. This allowed webmail accounts to inject shell commands into the forwarding system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-241

Summary

Webmail arbitrary file write with addforward API call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description

A webmail user could use the addforward API1 call to setup an email forwarder to a file. This would allow the webmail user to write to any file location owned by the cPanel account. Now, webmail users can only add forwarders to valid email addresses.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
56.0.49

SEC-242

Summary

Demo account code execution through Encoding API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The Encoding API calls relied on the guess_file_encoding script to determine the character encoding of the specified file. This script was vulnerable to XML External Entity attacks that could be escalated to full code execution with some inputs.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-243

Summary

Demo account code execution via ImageManager_dimensions API call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The ImageManager_dimensions API call invokes the ImageMagick identify utility. Due to possible vulnerabilities within the ImageMagick utilities, this could have been used to execute arbitrary code under a demo account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-244

Summary

Demo users have access to traceroute via api2.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

The traceroute api2 call was available to demo users, but the api1 traceroute call was blocked for those same users. Now, both api1 and api2 calls function in similar ways and block execution by demo users.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-245

Summary

Demo accounts able to redirect web traffic.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Description

The API1 commands to redirect the website traffic to parked domains were not implementing Demo mode restrictions correctly.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-246

Summary

Cpanel::SPFUI API commands are available to demo accounts.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Cpanel::SPFUI API commands are available to demo accounts. It was possible to use these API commands to change the SPF records for a demo domain. This allowed an attacker to send email for the domain on an external system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-247

Summary

Demo and suspended accounts allowed to port-forward via SSH.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Description

The shell configuration for Demo and Suspended accounts allowed traffic to forward through SSH. This has been addressed by adding these accounts to the “cpanelsuspended” and “cpaneldemo” groups, and explicitly blocking these groups in the sshd_config file.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-248

Summary

Cpanel SSH API commands are allowed for Demo accounts.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Cpanel SSH API commands are allowed for demo accounts. This allowed for demo users to generate, upload, and authorize SSH keys. This also allowed for changes to be made to the filesystem and could enable further attacks.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-249

Summary

Demo restrictions not enforced in SSL API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The cPanel API1, API2 and UAPI calls for SSL operations in cPanel did not enforce demo mode restrictions correctly. This allowed demo accounts to modify the demo domain’s SSL configuration.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-250

Summary

File read and write for demo accounts in SourceIPCheck API.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Description

It was possible to use the SourceIPCheck API calls to read and write to files that the targeted demo account could access. Now, most SourceIPCheck API calls are no longer available to demo users.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-251

Summary

Code execution for Demo accounts via ClamScanner_getsocket API.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The ClamScanner_getsocket API command takes the location of the clamd binary as an argument. This is used as part of a shell command to find the current clamd socket file. It was possible to inject arbitrary shell commands into this argument, allowing for arbitrary code execution under Demo accounts.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-252

Summary

Limited file read via Serverinfo_manpage API call.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The Serverinfo_manpage API call accepts a parameter to select the displayed manpage. This parameter is vulnerable to a path traversal attack. This potentially allowed for an attacker to read some files on the calling account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-254

Summary

Limited file rename as root via scripts/convert_roundcube_mysql2sqlite.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Description

The scripts/convert_roundcube_mysql2sqlite script calls out to shell commands via the system() function while in a reduced privileges state. If a user’s email virtual name contained special characters, the command would be invoked via the system shell. This would restore root privileges and invoke the command as root. This allowed for an attacker to rename files and/or copy them into a user accessible location.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-255

Summary

Limited file chmod in /scripts/convert_roundcube_mysql2sqlite.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.5 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

During the Roundcube SQLite conversion process, it was possible to chmod a limited set of files with elevated privileges by taking advantage of a race condition.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-257

Summary

User crontab publicly visible during cPAddon upgrades.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The functionality for adding and removing cron jobs for cPAddons, exposed the user’s crontab by placing a copy in the user’s public Apache docroot.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-259

Summary

Code execution via Rails configuration files.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

The Ruby on Rails settings for an account were stored in the account’s userdata directory in a way that would conflict with identically named domains. This could be abused to inject arbitrary configuration data into the Apache configuration file.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-260

Summary

Supplemental groups lost during account renames.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

Description

During account modifications, the supplemental groups a user belonged to were not updated to reflect a changed user name. This could potentially leak access to sensitive groups to subsequent accounts created with the same username.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49

SEC-262

Summary

Stored XSS in WHM cPAddons install interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.2 AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

When installing a cPAddon, if the installation of the cron jobs failed, the interface did not HTML encode the resulting error message. This could allow for arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.24
60.0.43
58.0.49
56.0.49

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/05/TSR-2017-0003.disclosure.signed.txt