Case 85329
Summary
Sensitive information disclosed via multiple log files.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
Several log files on cPanel & WHM systems were created with default world-readable permissions. These log files include both sensitive internal data such as stack traces and less sensitive information about the existence of other accounts and domains on the system.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 86337
Summary
Injection of arbitrary DNS zonefile contents via cPanel DNS zone editors.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The cPanel interface provides restricted interfaces for modifying aspects of the DNS zones that belong to a cPanel account. A malicious cPanel account could use crafted inputs to the simple and advanced DNS zone editor interfaces to rewrite parts of the zone files that they are normally restricted from editing. With some inputs, this could disclose the contents of sensitive files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 86465
Summary
Insufficient ACL checks in WHM Modify Account interface.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
Within WHM’s “Modify Account” interface and associated xml-api commands, several settings for cPanel accounts could be altered with the “edit-account” reseller ACL rather than the more restrictive “all” ACL that is required in the dedicated interfaces for these settings. In particular, an account could be switched between the new and legacy backup systems, which should only be permissible by the root user.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 87205
Summary
Open redirect vulnerability in FormMail-clone.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
cPanel & WHM servers include a clone of the classic FormMail.pl script. This clone includes the ability to redirect the browser after successful form submission to a URL included in the browser supplied parameters. These redirects are now restricted to HTTP and HTTPS locations that are on the server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 87873
Summary
Multiple format string vulnerabilities in Cpanel::API::Fileman.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
Error messages in Cpanel::API::Fileman were being generated using Locale::Maketext::maketext(). These errors were then added to a Cpanel::Result object using the error() method, which also performs maketext() interpolation on its inputs. With carefully crafted inputs, an authenticated attacker could utilize these format string flaws to execute arbitrary code using maketext() bracket notation.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
Case 88577
Summary
Arbitrary file overwrite via trackupload parameter.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The trackupload functionality in cPanel & WHM’s default POST parameter and QUERY_STRING processor module allows a log file to be written and queried while a file upload is occurring. In some contexts, an authenticated attacker could make cpsrvd create the trackupload log file inside the user’s home directory while running with the effective UID of root. By combining this with a symlinked trackupload log file target, any file on the system could be overwritten.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 88793
Summary
External XML entity injection in WHM locale upload interface.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The XML parser used by WHM for XLIFF and dumper-format XML locale file uploads allowed the processing of external XML entities. This would permit resellers with the ‘locale-edit’ ACL to reference arbitrary files on the system as external entities in an XLIFF translation upload and retrieve the target file by downloading the translation. All external XML entity processing in the translation system handling of XML files, is now disabled.
Credits
This issue was discovered by Prajith from NdimensionZ Solutions Pvt Ltd
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 88961
Summary
Arbitrary code execution for ACL limited resellers via WHM Activate Remote Nameservers interface.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
Resellers with the ‘clustering’ ACL could send crafted parameters with newlines to the WHM /cgi/activate_remote_nameservers.cgi script and inject unsanitized values in the DNS clustering credential storage system. These unsanitized parameters could include code injections that would run with root’s effective UID or parameters intended to disclose root’s accesshash credentials to systems under the reseller’s control.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 89377
Summary
Arbitrary code execution for ACL limited resellers via WHM objcache.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
A flaw in the hostname input sanitization of WHM’s objcache functionality could be used by malicious resellers with limited ACLs to download Template Toolkit code of their choosing into the WHM objcache storage system. The malicious Template Toolkit code would subsequently execute with EUID 0 during the processing of WHM News.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 89733
Summary
Injection of arbitrary data into cpuser configuration files via wwwacct.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The WHM /scripts5/wwwacct interface allowed arbitrary values to be set for the ‘owner’ parameter during new account creation by resellers with the ‘create-acct’ ACL. By supplying values with newlines, resellers could control all fields in the newly created account’s cpuser configuration file.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 89789
Summary
Arbitrary code execution for ACL limited resellers via batch API.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The WHM XML-API allows for multiple commands to be combined into one call via the ‘batch’ command. Some aspects of the execution environment for one command in a batch persisted in the execution of subsequent commands. By leveraging failures of a proceeding command, a malicious authenticated reseller could execute arbitrary code as the root user in subsequent commands in the batch.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 90001
Summary
Sensitive information disclosed via update-analysis tarballs.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The cPanel & WHM update-analysis system aggregates log files and system settings into a tarball that is sent to cPanel’s log processing servers. This opt-in service allows cPanel to detect trends in the errors that cPanel & WHM systems encounter. The tarballs generated by the update-analysis system are retained on the local file system, with 0644 permissions, inside a world-accessible directory and include copies of several sensitive log files. This allowed local users to view the sensitive data contained inside.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 90265
Summary
Open mail relay via injection of FormMail-clone parameters.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
cPanel & WHM servers include a clone of the classic FormMail.pl script. Incorrect filtering of the ‘subject’ parameter supplied to this script allowed arbitrary mail headers to be injected into the email message. This flaw bypassed any recipient restrictions and allowed FormMail-clone to be used as an open mail relay.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 91741
Summary
Arbitrary code execution via backup excludes.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
Entries in a user’s cpbackup-exclude.conf file are evaluated in an unsafe manner during the nightly account backup process. By carefully crafting these entries, a malicious local account could execute arbitrary code as the root user during nightly backups under some circumstances.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 92449
Summary
User .my.cnf files set to world readable during upcp.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The script ‘/scripts/fixmysqlpasswordopt’ is run one time by upcp during an upgrade from cPanel & WHM version 11.38 to version 11.40. This script was intended to convert user’s .my.cnf files to use formatting required with MySQL5.5. During the conversion, the permissions on some user’s .my.cnf files could be changed to world-readable. In combination with other common attacks, this could disclose the user’s MySQL password to other accounts on the system.
Credits
This issue was discovered by Curtis Wood.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
Case 92489
Summary
SSH private key disclosure during key import process.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
When the ‘extract_public’ option is specified to the ‘importsshkey’ WHM XML-API call, the provided private key was written to a world-readable temporary file. This allowed any user on the system to read the uploaded key.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Case 94201
Summary
Insufficient validation allows password reset of arbitrary users.
Security Rating
cPanel has assigned a Security Level of Critical to this vulnerability.
Description
cPanel & WHM systems contain optional functionality that allows cPanel accounts to reset their passwords from the cPanel login screen. When a user requests a password reset in this fashion, an email is sent to the user’s configured email address. The user must then navigate to a URL provided in the email to perform the password reset. A flaw in the validation of the ‘user’ parameter to the password reset interface allowed unauthenticated remote attackers to reset an account’s password and cause the reset email to be delivered to an email address of the attacker’s choosing.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
Multiple Cases (30)
Summary
Multiple XSS vulnerabilities in various interfaces.
Description
Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.
Case: 88465
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts9/upload_locale
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ernesto Martin
Case: 88469
Security Rating: Minor
XSS Type: Self-stored
Interface: WHM
URLs: /scripts/backupconfig
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ernesto Martin
Case: 88473
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /fetchsystembranding, /fetchglobalbranding, /fetchyoursbranding
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ernesto Martin
Case: 90213
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/passwdmysql
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 90225
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi/CloudLinux.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 90249
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi/live_restart_xferlog_tail.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 90257
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/dorootmail
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 90261
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /cgi/sshcheck.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 90289
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi/zoneeditor.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 90753
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/delegatelist.html, /frontend/paper_lantern/mail/delegatelist.html
Affected Releases: 11.42.0, 11.40.1
Reporter: Mateusz Goik
Case: 90765
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/mime/hotlink.html, /frontend/paper_lantern/mime/hotlink.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Mateusz Goik
Case: 90769
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/webdav/accounts_webdav.html, /frontend/paper_lantern/webdav/accounts_webdav.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Mateusz Goik
Case: 90781
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/mime/redirect.html, /frontend/paper_lantern/mime/redirect.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Mateusz Goik
Case: 90817
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/filemanager/listfmfiles.json, /frontend/paper_lantern/filemanager/listfmfiles.json
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Mateusz Goik
Case: 90969
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /cgi/cpaddons_report.pl
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Rack911
Case: 91457
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/test.php, /frontend/paper_lantern/test.php
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 91461
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cgi/doupload.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 91633
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /fetchemailarchive
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 91677
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/cpanelpro/filelist-scale.html, /frontend/paper_lantern/cpanelpro/filelist-scale.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 91681
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/cpanelpro/filelist-thumbs.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 91717
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/changestatus.html, /frontend/paper_lantern/cpanelpro/editmsgs.html, /frontend/paper_lantern/cpanelpro/msgaction.html, /frontend/paper_lantern/cpanelpro/saveconf.html, /frontend/paper_lantern/mail/changestatus.html, /frontend/paper_lantern/mail/conf.html, /frontend/paper_lantern/mail/editlists.html, /frontend/paper_lantern/mail/editmsg.html, /frontend/paper_lantern/mail/manage.html, /frontend/paper_lantern/mail/queuesearch.htm, /frontend/paper_lantern/mail/resetmsg.html(acount), /frontend/paper_lantern/mail/saveconf.html, /frontend/paper_lantern/mail/showlog.html, /frontend/paper_lantern/mail/showmsg.htm, /frontend/paper_lantern/mail/showq.html, /frontend/x3/cpanelpro/changestatus.html, /frontend/x3/cpanelpro/editlists.html, /frontend/x3/cpanelpro/editmsgs.html, /frontend/x3/cpanelpro/msgaction.html, /frontend/x3/cpanelpro/saveconf.html, /frontend/x3/mail/changestatus.html, /frontend/x3/mail/conf.html, /frontend/x3/mail/editlists.html, /frontend/x3/mail/editmsg.html, /frontend/x3/mail/manage.html, /frontend/x3/mail/queuesearch.html, /frontend/x3/mail/resetmsg.html, /frontend/x3/mail/saveconf.html, /frontend/x3/mail/showlog.html, /frontend/x3/mail/showmsg.html, /frontend/x3/mail/showq.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 91973
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cpanelpro/doscale.html, /frontend/paper_lantern/cpanelpro/doscale.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 91977
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cpanelpro/doconvert.html, /frontend/paper_lantern/cpanelpro/doconvert.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 91981
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cpanelpro/dothumbdir.html, /frontend/paper_lantern/cpanelpro/dothumbdir.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 92133
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/telnet/keys/dodelpkey.html, /frontend/paper_lantern/telnet/keys/dodelpkey.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 92157
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts/installfp, /scripts/uninstallfp
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 92421
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/ajax_mail_settings.html, /frontend/paper_lantern/mail/ajax_mail_settings.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 92593
Security Rating: Moderate
XSS Type: Reflected
Interface: cPanel
URLs: /cgi-sys/entropysearch.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 92829
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi-sys/defaultwebpage.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Shahee Mirza
Case: 93089
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mime/delredirectconfirm.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.
Credits
These issues were discovered by the respective reporters listed above.
Solution
These issues are resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23
For the PGP-signed message, see: TSR-2014-0003-Full-Disclosure1.