Newsroom

cPanel TSR-2017-0005 Full Disclosure

cPanel TSR-2017-0005 Full Disclosure

SEC-276

Summary

SQL injection in eximstats processing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Description

When processing eximstats updates in buffered mode, errors in the SQL operations cause the updates to be reprocessed one statement at a time. The logic used to split multiple SQL statements back into individaul SQL statements was faulty. This resulted in data being processed as SQL commands.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40

SEC-279

Summary

SSL hostname verification for support agreement download not enforced.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Description

There was no hostname verification for the support agreement download when creating a support ticket through WHM. This allowed for a user to be subject to a MITM attack.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48

SEC-282

Summary

Stored XSS Vulnerability in WHM MySQL Password Change Interfaces.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

When changing the MySQL password for the root user, various scripts are called to update subsystems that rely on this password. One of these scripts updates the Roundcube databases and outputs a list of virtual email accounts. This list was not adequately encoded before displaying to the user and allowed an attacker to inject arbitrary code on the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

SEC-283

Summary

cPanel backup interface could return a backup with all MySQL databases.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

With specific database names it was possible for a backup returned by getsqlbackup to contain all MySQL databases on the server, including databases the user did not own.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

SEC-284

Summary

User account backups could contain all MySQL databases on the server.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

With specific database names it was possible for an account backup to contain all MySQL databases on the server, including databases the user did not own.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

SEC-285

Summary

Addon domain conversion can copy all MySQL databases to the new account.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Description

It was possible for a reseller account to preform an addon domain conversion and the resulting account would be given a copy of every MySQL table on the server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

SEC-296

Summary

Account rename can result in Apache logfiles becoming world-readable.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

When modifying the account’s main domain name, there was a small interval between when the Apache log files are renamed, and when httpd restarts. During this interval, if the site is accessed, Apache would create the logs as world-readable. This allowed for a leak of potentially sensitive data.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

SEC-299

Summary

Backup system overwrites root’s home directory when mount disappears.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

When performing an account backup, the backup script will chdir() to the backup directory. If a file system failure is occurring when this chdir() is made, it is possible for the directory to be changed to root’s home directory. This can allow for files within this directory to be overwritten.

Credits

This issue was discovered by NameCheap, Inc..

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

SEC-300

Summary

Open redirect in /unprotected/redirect.html.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Description

The goto_uri parameter of /unprotected/redirect.html could be used as an open redirect to a potentially harmful domain.

Credits

This issue was discovered by Fredrik Almroth.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

SEC-302

Summary

Code execution as mailman user due to faulty environmental variable filtering.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The blacklist environmental variable filtering in Mailman allowed variables that could influence the operation of the Python interpreter. On cPanel & WHM systems, this faulty filtering allowed local users to run arbitrary code as the shared mailman user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

SEC-303

Summary

Arbitrary file overwrite via Roundcube SQLite schema update.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Description

During Roundcube SQLite schema updates, the SQLite database files were opened by root inside the user’s home directory. This could allow for arbitrary files to be created or overwritten on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/09/TSR-2017-0005.disclosure.signed.txt