Newsroom

cPanel TSR-2018-0004 Full Disclosure

cPanel TSR-2018-0004 Full Disclosure

SEC-367

Summary

Stored-XSS in WHM File Restoration interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Filenames containing AngularJS markup were interpolated into angular-growl format strings. These format strings were then interpolated a second time before being used in growl notifications. This allowed cPanel users to insert XSS payloads into the WHM File Restoration interface.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-416

Summary

Apache configuration injection due to document root variable interpolation.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

Subdomain document root paths were allowed with Apache variable interpolation syntax. Under some conditions, malicious cPanel users could misuse this behavior to inject arbitrary Apache directives into the web server’s configuration.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-418

Summary

Insecure storage of phpMyAdmin session files.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

Description

Due to a misconfiguration of phpMyAdmin’s php.ini file, the /tmp directory was used for session files storage. Local attackers could misuse this behavior to execute arbitrary code as the shared cpanelphpmyadmin user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-420

Summary

SQL injection during database backups.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

The cPanel backup process creates temporary data as part of backing up a database. The format of this data was vulnerable to manipulation by the backed up database names. This allowed an attacker to execute arbitrary SQL commands with the root account’s MySQL permissions.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-424

Summary

File modification as root via faulty HTTP authentication.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Description

When logging in via HTTP Basic Authentication, the REMOTE_USER environment variable is set from the username. By inserting null characters into the username, it was possible to truncate the environment variable when it is passed to subprocesses. This allowed local attackers to modify files as the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-425

Summary

Limited file read via password file caching.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Description

When logging in as a webmail user, cpsrvd reads the password and cache files located in the user’s home directory as root. It was possible to cause this to read arbitrary files on the system and write back a limited amount of data to theuser’s home directory.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-426

Summary

Arbitrary zonefile modifications allowed during record edits.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The types of DNS zone records that a cPanel user may add, delete, or edit are limited by the feature settings for the account. During zonefile edits, the new type of an edited record was not validated as a permitted record type for the user. This allowed cPanel users with the “changemx”, “simplezoneedit”, or “zoneedit” features to make arbitrary changes to zone files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-436

Summary

Arbitrary file read during File Restoration.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.9 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Description

When using the “File Restoration” feature on an incremental backup, it incorrectly translated tar escape sequences in filenames. This allowed an attacker to read arbitrary files on the system as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-439

Summary

Arbitrary zonefile modifications due to faulty CAA record handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

cPanel accounts with the “zoneedit” feature are allowed to create and modify CAA DNS records. The validator for new CAA records allowed several types of injections that would split a single CAA record entry into multiple DNS records witharbitrary content.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-442

Summary

File rename vulnerability during account renames.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Description

While renaming cPanel accounts, the security policy data files stored in the user’s home directory were renamed with root permissions. This allowed malicious resellers with the Account Modification privilege to rename arbitrary files on the system.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
72.0.10
70.0.53

SEC-443

Summary

Website contents accessible to local attackers through git repos.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The Git Version Control functionality in cPanel relied on the git binary to create the directories for git repos. The git binary created these directories with very open (0755) permissions, allowing other accounts on the system to examine the contents of the files in the repo. This functionality has been changed to create repo directories with 0700 permissions if the directory does not already exist.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
72.0.10

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/07/TSR-2018-0004.disclosure.signed.txt