Newsroom

TSR-2013-0009 Detailed Disclosure

TSR-2013-0009 Detailed Disclosure

The following disclosure covers Targeted Security Release TSR-2013-0009, that was published on August 27th, 2013.

Each vulnerability is assigned an internal case number which is reflected below.
Information regarding the cPanel Security Level rankings can be found here:
http://go.cpanel.net/securitylevels

Case 73377

Summary
An account’s cpmove archives were world-readable in the /home directory with 644 permissions during packaging.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
The cPanel and WHM account transfer process created a temporary cpmove
archive in the /home directory with 644 permissions. This allowed a local
attacker to read the private contents of another user’s home directory
and configuration settings while the transfer operation was in progress.
The world-readable cpmove file was left accessible for a longer period
of time when the account transfer process failed and required manual intervention.

Credits
This issue was reported by Rack911.com.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 73581

Summary
The improper sanitization of user input when adding an Addon Domain could allow a local DoS of the web server.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
While creating a new Addon domain, a cPanel user account could specify a
DocumentRoot for the new addon that would be misinterpreted by Apache as
a nonsensical httpd.conf directive. This vulnerability could be used by
a malicious local attacker to corrupt the global httpd.conf file and
make it impossible to restart the Apache web server.

Credits
This issue was reported by Rack911.com.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 73605

Summary
The account rearrange feature of WHM could be used in an unsafe way, potentially leading to a compromise of a system’s security.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
WHM resellers with the “Rearrange Accounts” ACL could change the
permissions on arbitrary file paths by moving accounts they
controlled into sensitive filesystem locations and invoke other
automated systems, which assumed these locations were not under any user
account’s control. The “Rearrange Accounts” ACL is a part of the a “Super Privs” ACL group, which restricts access to WHM operations that may be used to bypass many normal Reseller access restrictions.

Credits
This issue was reported by Rack911.com

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 73773

Summary
cPanel, WHM and Webmail session files contained plaintext passwords.

Security Rating
cPanel has not assigned a Security Level to this issue as we feel this is only a hardening measure.

Description
The session files in /var/cpanel/sessions contained plain text passwords for recently logged in users. The session files were correctly secured so that only the root account on the system could read their contents. We have added additional obfuscation of the plaintext passwords, so that any attacker who compromises the root account on the system will not have the ability to reconstruct the plaintext passwords from the session files.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 74521

Summary
Resellers with the locale-edit ACL could overwrite any file on the system.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
Resellers that were able to install locale data from uploaded XML files could overwrite any file on the disk with data provided in the XML file. This could be used to gain privilege escalation to root.

Credits
This issue was reported by Rack911.com.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 75569

Summary
The unsuspend function makes changes to webDAV user files that could unsuspend a suspended user on the system.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
The process of unsuspending a suspended account did not perform proper checks on the ownership and location of the virtual account password files. This flaw allowed a malicious reseller account with the “(Un)Suspend” ACL to unsuspend arbitrary accounts on the system.

Credits
This issue was reported by Rack911.com.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Cases 68205, 71701, 71705, 71709, 71721, 71725, 71733, 75169, 75413, 75417, and 75605

Summary

Multiple vulnerabilities in the cPAddons Site Software subsystem.

Security Rating
cPanel has assigned a range of Security Levels to these vulnerablities from Minor to Important.

Description
The cPAddons Site Software subsystem provides a suite of web application
software that individual cPanel user accounts may install into their
domains. The subsystem also provides interfaces in WHM where the root user
may configure the list of web applications that are available for
installation, configure which web applications require root’s approval
for installation, and perform the installation of moderated cPAddons.

This subsystem was vulnerable to a variety of attacks by malicious local
cPanel accounts and malicious WHM reseller accounts. The vulnerabilities
included flaws in the ACL enforcement logic of the WHM interfaces that
allowed non-root resellers to use the WHM interfaces and stored XSS
attacks that a cPanel account could conduct against the root user. The
moderated cPAddons install logic included further vulnerabilities that
would allow a malicious cPanel user to execute arbitrary code as any
other account on the system.

Credits
These issues were discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 71265

Summary
The autoresond.pl script was vulnerable to shell injection.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
The cPanel autorespond script is used by cPanel and Webmail accounts to
send vacation notices when the user is unavailable to answer their
email. An input sanitization flaw in this script allowed a malicious
local cPanel account to bypass other account restrictions, such
as jailshell, while executing arbitrary code.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
This issue was not introduced into the autoresponder.pl code until 11.38, 11.36 and prior are not vulnerable.
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Cases 74609 and 75113

Summary
The NVData module lacked proper sanitization, which allowed overwrites of files and path traversal.

Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.

Description
The WHM interface uses an NVData subsystem to persistently store some
settings of the web interface. This subsystem did insufficient
validation of its inputs, allowing a malicious local reseller to corrupt
NVData files belonging to other users and read files outside of the NVData
subsytem. These flaws potentially allowed the reseller to change
ownership and permissions settings on arbitrary files.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Our GPG key is available at: http://go.cpanel.net/gnupgkeys (ABD94DDF)

The cPanel Security Team can be contacted at: [email protected]

TSR-2013-0009-DetailedDisclosure