-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2016-0002 Full Disclosure SEC-31 Summary Daemons can access their controlling TTY. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Description Daemonized code is not fully detached from from its parent process. This allows an attacker to control a TTY they do not own. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-75 Summary scripts/addpop discloses password in process list. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description The addpop and cpanel-email.pl scripts both expose passwords to other users via the process list when using the '--password' flag. This behavior can be prevented by not using the '--password' flag and entering the password during the execution of the script. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-88 Summary Self XSS Vulnerability in X3 Reseller Branding Images. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The branding package name was not adequately encoded when used to generate a path to branded images. An attacker was able to take advantage of this to inject arbitrary code into the rendered pages. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-89 Summary MakeText interpolation allows arbitrary code execution as root. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Description Before a reseller's branding configuration was processed, an incomplete user switch was performed that allowed for a switch back to the root user. When combined with a specifically crafted MakeText interpolated string, arbitrary code can be run as the root user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-90 Summary Unauthenticated arbitrary code execution via DNS NS entry poisoning. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Description Under some configurations, the server fetched DNS nameserver settings from remote DNS servers when a domain alias is created. The retrieved nameserver records were used in an insecure manner, which allowed arbitrary code execution as root during the domain alias creation process. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-92 Summary Bypass Security Policy by faking static documents. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N) Description It was possible to bypass any security policies by ending a request in a static document extension type. Now static document requests are checked to be valid before the document request is passed through. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-93 Summary Bypass Two Factor Authentication with DNS clustering requests. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) Description In certain environments it was possible to bypass two factor authentication by using connections established by a DNS cluster request. Now when a connection performs a DNS cluster request, only DNS cluster requests will be allowed on that connection. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-96 Summary Self-Stored-XSS in WHM Edit System Mail Preferences. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description Using the API command to set the forwarding email to a piped value was unescaped when displayed in WHM. This value is now escaped properly. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 SEC-97 Summary Arbitrary code execution via unsafe @INC path. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description Several perl scripts that are unlikely to be executed directly on cPanel & WHM systems were missed during the initial implementation of global @INC filtering in TSR-2016-0001. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-99 Summary Arbitrary file read due to multipart form processing error. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N) Description The Cpanel::Form::parseform() function was found to mishandle multipart data fields in a way that allowed arbitrary files to be read in several WHM interfaces. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-100 Summary ACL bypass for AppConfig applications via magic_revision. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) Description The magic_revision component of a URL is not properly accounted for when determining if a particular URL belongs to an AppConfig registered application. Because of this, it is possible to bypass ACLs required to run the application. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-101 Summary Force two factor auth check when possessing another account. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) Description A high privileged reseller could bypass the two factor authentication security policy by possessing another account. Users will now need to enter their own two factor authentication token when logging in by possessing an account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 SEC-102 Summary FTP cPHulk bypass via account name munging. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The pureauth script used by PureFTPD performs some munging of the FTP username before verifying the password. The user name provided to cPHulkd is set before this munging occurs. When authenticating via FTP, cPHulkd does not consider usernames with different junk characters as the same user for each login attempt. Because of this, the login limit number is never reached and a block is never put into place. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-104 Summary Username based blocking broken for PRE requests in cPHulkd. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Description The cPHulk daemon no longer signals a failure when a username is blocked during a PRE action. If the IP address was not blocked, then a success message was sent unconditionally. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-105 Summary Account suspension bypass via ftp. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Description Certain accounts could be added to FTP accounts via the API that are considered system wide accounts and are able to bypass the account being suspended. Hardening the check of the account now prevents the bypassing of account suspension. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-107 Summary POP/IMAP cPHulk bypass via account name munging. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The cPanel email authentication performs some munging of the mail username before verifying the password. The username provided to cPHulkd is set before this munging occurs. When authenticating via mail, cPHulkd does not consider username with different junk characters as the same user for each login attempt. Because of this, the login limit number is never reached and a block is never put into place. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 SEC-108 Summary Arbitrary file read when authenticating with caldav. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description It was possible to send specially crafted authentication credentials to the caldav port that would allow you to read certain parts of the targeted file. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.20 11.52.4.1 11.50.5.2 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJW8X3sAAoJEJUhvtyr2U3f7Z4QAKwqlizCGniYs4xcxrFiLL5D +SdHfLRKug8/jWDiuMT9/dNunFexOHDwarJqvWoPBzrUH6ktoxJ644neGqSZtxrm VVL4nU1uy3LK4KZfK2KrNBNDPr7WXLMurfgrNWTBNUKaSqfR7ldzJZ7NcyOvmpZW 6t/F799qnIyVkgVsZHhOQt+VnXLW+5Y4QjMccSHCX05fIKaobCBd61SuBCptKpFj F4UeEBrNN6RuP48M0xA4Vv8sJDOnf4H2M/w9H03rk9p4dwSXYI9K1A3lwhRd4SDy CxmZzs+/vLoQIb/pErTEXWZSwZweoi3EPS3BrQY8iuhVn3vwfRU2F9QExHkPEGXu 5XntqidR4U6vG94kIgI7kAY36Vp4fkDIVkjyl2uPh6g6kVOHoDpomZlq2s6V91PH ukinIxDmb2rQMYxEs3xpEaMxmyR7v2kFGS2HwIPFSfESC0EbA1RYFe8hOaCr+P7P hWaV2lFRGDxMj2yPeNoQlG/dGtcDy2R8wkhq2Duw+XwdIRYBk7aHNwIMsEtkx2pL EjNekrXyOZLvXisqDeJviiB2xm5B+qxgzkYKq3pGS/CZ1HbaiJ8b+QBAoy3qOk46 PE8ztInKC9aaTUSMGUzQsENouHSKYNruD+OXqSfwk2X+bWvzUM1dUjAQ4RfKIn9U hd2Mwi1fsPv9a0Ree4WL =5Qr8 -----END PGP SIGNATURE-----