cPanel TSR-2017-0004 Full Disclosure
SEC-263
Summary
Stored XSS during WHM cPAddons install.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
It was possible for an attacker to actively inject HTML into the WHM cPAddons screen during a moderated install.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-264
Summary
Stored XSS during WHM cPAddons upgrades.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
While performing cPAddon upgrades in WHM, output from the upgrade script was displayed without HTML escaping.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.27
60.0.45
58.0.52
56.0.51
SEC-265
Summary
Stored XSS during WHM cPAddons file operations.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
It was possible for an attacker to actively inject HTML into the WHM cPAddons screen when the installation process did certain ‘chmod’ and ‘chown’ operations.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-266
Summary
Stored XSS during WHM cPAddons uninstallation.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
While performing cPAddon uninstalls in WHM, output from the ‘rm’ command was displayed without HTML escaping. This could allow for arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-267
Summary
Stored XSS during WHM cPAddons cron operations.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
During the WHM cPAddons install and uninstall processes, output from the ‘crontab’ command was not sufficiently HTML escaped.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.27
60.0.45
58.0.52
56.0.51
SEC-268
Summary
Stored XSS during moderated WHM cPAddons installation.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
While performing cPAddon installs in WHM, output from the ‘chgrp’ command was displayed without HTML escaping.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.27
60.0.45
58.0.52
56.0.51
SEC-269
Summary
Stored XSS in WHM cPAddons processing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
The cPAddons interfaces relied on a temporary file inside the user’s home directory to buffer HTML output. When a reseller made cPAddons changes inside of the WHM interfaces for the user, this allowed the injection of HTML into the interface.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-271
Summary
Demo accounts allowed to create databases and users.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Description
The mysql adminbin allowed demo accounts to create and delete databases and users.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
SEC-272
Summary
EasyApache 4 conversion sets loose domlog ownership and permissions.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
The conversion from EasyApache 3 to EasyApache 4 does not move virtualhost domlogs from the old location to the new location. This results in the logs being recreated by Apache with default world-readable permissions. The conversion script will now create the log files as necessary to ensure correct permissions and ownership are maintained.
Credits
This issue was discovered by Alex Kwiecinski of the Liquid Web Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-273
Summary
Domain log files become readable after log processing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
When Apache was configured with piped-logging and the domain log files were processed by cpanellogd, the logfiles would be left with world-readable permissions.
Credits
This issue was discovered by Alex Kwiecinski.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-274
Summary
Apache configuration file changed to world-readable when rebuilt.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
Changes to the Cpanel::AdvConfig module resulted in all AdvConfig managed subsystems getting world-readable configuration files when they were rebuilt. Cpanel::AdvConfig now defaults to the existing file permissions whenever the optional _target_conf_perms argument is not supplied.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
SEC-280
Summary
The cpdavd_error_log can be created with insecure permissions.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
If the cpdavd_error_log file is missing when cpdavd starts, then it is possible for it to be created with world-readable permissions. It is possible for sensitive data to be contained within this log. The permissions on this file are now reduced.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-288
Summary
Resellers can read other accounts domain log files.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Description
Under certain situations domain log files are backed up with the file extensions “.bkup”, “.bkup2” and “.offset”. A reseller could create a domain with those extensions as a top level domain and gain access to read other user’s domain log files. The aforementioned top level domains are no longer allowed during account creation.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-289
Summary
Insecure log file permissions after account modification.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
When changing the main domain name of the account, the log files for that domain were not renamed. This resulted in world-readable log files when Apache was restarted.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-290
Summary
Apache domlogs become temporarily world-readable during log processing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
During log processing, the Apache domain log files were moved out of their normal location. This created a race condition where any restart of Apache would log to the normal log file location with insecure permissions.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-291
Summary
Apache SSL domain logs left behind after account termination.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
The Apache logs for an account’s SSL domain and subdomains were left behind by the account termination process. Resellers could recreate the deleted domains to gain access to the log data.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-294
Summary
Corrupted user and group ownership when using ‘reassign_post_terminate_cruft’.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Description
Under very specific file tree structures, it was possible for the script ‘reassign_post_terminate_cruft’ to corrupt the user and group ownership of symlinks.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
SEC-297
Summary
Self XSS Vulnerability in WHM Upload Locale interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When uploading a locale file in the WHM Upload Locale interface, page output containing the uploaded file name was not adequately escaped. This could allow for arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by Vahagn Vardanyan.
Solution
This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51
For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/07/TSR-2017-0004.disclosure.signed.txt