Newsroom

cPanel TSR 2014-0003 Full Disclosure

Case 85329

Summary

Sensitive information disclosed via multiple log files.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Several log files on cPanel & WHM systems were created with default world-readable permissions. These log files include both sensitive internal data such as stack traces and less sensitive information about the existence of other accounts and domains on the system.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23


Case 86337

Summary

Injection of arbitrary DNS zonefile contents via cPanel DNS zone editors.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The cPanel interface provides restricted interfaces for modifying aspects of the DNS zones that belong to a cPanel account. A malicious cPanel account could use crafted inputs to the simple and advanced DNS zone editor interfaces to rewrite parts of the zone files that they are normally restricted from editing. With some inputs, this could disclose the contents of sensitive files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 86465

Summary

Insufficient ACL checks in WHM Modify Account interface.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Within WHM’s “Modify Account” interface and associated xml-api commands, several settings for cPanel accounts could be altered with the “edit-account” reseller ACL rather than the more restrictive “all” ACL that is required in the dedicated interfaces for these settings. In particular, an account could be switched between the new and legacy backup systems, which should only be permissible by the root user.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 87205

Summary

Open redirect vulnerability in FormMail-clone.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

cPanel & WHM servers include a clone of the classic FormMail.pl script. This clone includes the ability to redirect the browser after successful form submission to a URL included in the browser supplied parameters. These redirects are now restricted to HTTP and HTTPS locations that are on the server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 87873

Summary

Multiple format string vulnerabilities in Cpanel::API::Fileman.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Error messages in Cpanel::API::Fileman were being generated using Locale::Maketext::maketext(). These errors were then added to a Cpanel::Result object using the error() method, which also performs maketext() interpolation on its inputs. With carefully crafted inputs, an authenticated attacker could utilize these format string flaws to execute arbitrary code using maketext() bracket notation.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13

Case 88577

Summary

Arbitrary file overwrite via trackupload parameter.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The trackupload functionality in cPanel & WHM’s default POST parameter and QUERY_STRING processor module allows a log file to be written and queried while a file upload is occurring. In some contexts, an authenticated attacker could make cpsrvd create the trackupload log file inside the user’s home directory while running with the effective UID of root. By combining this with a symlinked trackupload log file target, any file on the system could be overwritten.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 88793

Summary

External XML entity injection in WHM locale upload interface.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The XML parser used by WHM for XLIFF and dumper-format XML locale file uploads allowed the processing of external XML entities. This would permit resellers with the ‘locale-edit’ ACL to reference arbitrary files on the system as external entities in an XLIFF translation upload and retrieve the target file by downloading the translation. All external XML entity processing in the translation system handling of XML files, is now disabled.

Credits

This issue was discovered by Prajith from NdimensionZ Solutions Pvt Ltd

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 88961

Summary

Arbitrary code execution for ACL limited resellers via WHM Activate Remote Nameservers interface.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Resellers with the ‘clustering’ ACL could send crafted parameters with newlines to the WHM /cgi/activate_remote_nameservers.cgi script and inject unsanitized values in the DNS clustering credential storage system. These unsanitized parameters could include code injections that would run with root’s effective UID or parameters intended to disclose root’s accesshash credentials to systems under the reseller’s control.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 89377

Summary

Arbitrary code execution for ACL limited resellers via WHM objcache.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

A flaw in the hostname input sanitization of WHM’s objcache functionality could be used by malicious resellers with limited ACLs to download Template Toolkit code of their choosing into the WHM objcache storage system. The malicious Template Toolkit code would subsequently execute with EUID 0 during the processing of WHM News.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 89733

Summary

Injection of arbitrary data into cpuser configuration files via wwwacct.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The WHM /scripts5/wwwacct interface allowed arbitrary values to be set for the ‘owner’ parameter during new account creation by resellers with the ‘create-acct’ ACL. By supplying values with newlines, resellers could control all fields in the newly created account’s cpuser configuration file.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 89789

Summary

Arbitrary code execution for ACL limited resellers via batch API.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The WHM XML-API allows for multiple commands to be combined into one call via the ‘batch’ command. Some aspects of the execution environment for one command in a batch persisted in the execution of subsequent commands. By leveraging failures of a proceeding command, a malicious authenticated reseller could execute arbitrary code as the root user in subsequent commands in the batch.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 90001

Summary

Sensitive information disclosed via update-analysis tarballs.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The cPanel & WHM update-analysis system aggregates log files and system settings into a tarball that is sent to cPanel’s log processing servers. This opt-in service allows cPanel to detect trends in the errors that cPanel & WHM systems encounter. The tarballs generated by the update-analysis system are retained on the local file system, with 0644 permissions, inside a world-accessible directory and include copies of several sensitive log files. This allowed local users to view the sensitive data contained inside.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 90265

Summary

Open mail relay via injection of FormMail-clone parameters.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

cPanel & WHM servers include a clone of the classic FormMail.pl script. Incorrect filtering of the ‘subject’ parameter supplied to this script allowed arbitrary mail headers to be injected into the email message. This flaw bypassed any recipient restrictions and allowed FormMail-clone to be used as an open mail relay.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 91741

Summary

Arbitrary code execution via backup excludes.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Entries in a user’s cpbackup-exclude.conf file are evaluated in an unsafe manner during the nightly account backup process. By carefully crafting these entries, a malicious local account could execute arbitrary code as the root user during nightly backups under some circumstances.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 92449

Summary

User .my.cnf files set to world readable during upcp.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The script ‘/scripts/fixmysqlpasswordopt’ is run one time by upcp during an upgrade from cPanel & WHM version 11.38 to version 11.40. This script was intended to convert user’s .my.cnf files to use formatting required with MySQL5.5. During the conversion, the permissions on some user’s .my.cnf files could be changed to world-readable. In combination with other common attacks, this could disclose the user’s MySQL password to other accounts on the system.

Credits

This issue was discovered by Curtis Wood.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13

Case 92489

Summary

SSH private key disclosure during key import process.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

When the ‘extract_public’ option is specified to the ‘importsshkey’ WHM XML-API call, the provided private key was written to a world-readable temporary file. This allowed any user on the system to read the uploaded key.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Case 94201

Summary

Insufficient validation allows password reset of arbitrary users.

Security Rating

cPanel has assigned a Security Level of Critical to this vulnerability.

Description

cPanel & WHM systems contain optional functionality that allows cPanel accounts to reset their passwords from the cPanel login screen. When a user requests a password reset in this fashion, an email is sent to the user’s configured email address. The user must then navigate to a URL provided in the email to perform the password reset. A flaw in the validation of the ‘user’ parameter to the password reset interface allowed unauthenticated remote attackers to reset an account’s password and cause the reset email to be delivered to an email address of the attacker’s choosing.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.23
11.40.1.13
11.38.2.23

Multiple Cases (30)

Summary

Multiple XSS vulnerabilities in various interfaces.

Description

Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.

Case: 88465
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts9/upload_locale
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ernesto Martin

Case: 88469
Security Rating: Minor
XSS Type: Self-stored
Interface: WHM
URLs: /scripts/backupconfig
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ernesto Martin

Case: 88473
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /fetchsystembranding, /fetchglobalbranding, /fetchyoursbranding
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ernesto Martin

Case: 90213
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/passwdmysql
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 90225
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi/CloudLinux.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 90249
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi/live_restart_xferlog_tail.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 90257
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/dorootmail
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 90261
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /cgi/sshcheck.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 90289
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi/zoneeditor.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 90753
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/delegatelist.html, /frontend/paper_lantern/mail/delegatelist.html
Affected Releases: 11.42.0, 11.40.1
Reporter: Mateusz Goik

Case: 90765
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/mime/hotlink.html, /frontend/paper_lantern/mime/hotlink.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Mateusz Goik

Case: 90769
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/webdav/accounts_webdav.html, /frontend/paper_lantern/webdav/accounts_webdav.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Mateusz Goik

Case: 90781
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/mime/redirect.html, /frontend/paper_lantern/mime/redirect.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Mateusz Goik

Case: 90817
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/filemanager/listfmfiles.json, /frontend/paper_lantern/filemanager/listfmfiles.json
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Mateusz Goik

Case: 90969
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /cgi/cpaddons_report.pl
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Rack911

Case: 91457
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/test.php, /frontend/paper_lantern/test.php
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 91461
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cgi/doupload.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 91633
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /fetchemailarchive
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 91677
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/cpanelpro/filelist-scale.html, /frontend/paper_lantern/cpanelpro/filelist-scale.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 91681
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/cpanelpro/filelist-thumbs.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 91717
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/changestatus.html, /frontend/paper_lantern/cpanelpro/editmsgs.html, /frontend/paper_lantern/cpanelpro/msgaction.html, /frontend/paper_lantern/cpanelpro/saveconf.html, /frontend/paper_lantern/mail/changestatus.html, /frontend/paper_lantern/mail/conf.html, /frontend/paper_lantern/mail/editlists.html, /frontend/paper_lantern/mail/editmsg.html, /frontend/paper_lantern/mail/manage.html, /frontend/paper_lantern/mail/queuesearch.htm, /frontend/paper_lantern/mail/resetmsg.html(acount), /frontend/paper_lantern/mail/saveconf.html, /frontend/paper_lantern/mail/showlog.html, /frontend/paper_lantern/mail/showmsg.htm, /frontend/paper_lantern/mail/showq.html, /frontend/x3/cpanelpro/changestatus.html, /frontend/x3/cpanelpro/editlists.html, /frontend/x3/cpanelpro/editmsgs.html, /frontend/x3/cpanelpro/msgaction.html, /frontend/x3/cpanelpro/saveconf.html, /frontend/x3/mail/changestatus.html, /frontend/x3/mail/conf.html, /frontend/x3/mail/editlists.html, /frontend/x3/mail/editmsg.html, /frontend/x3/mail/manage.html, /frontend/x3/mail/queuesearch.html, /frontend/x3/mail/resetmsg.html, /frontend/x3/mail/saveconf.html, /frontend/x3/mail/showlog.html, /frontend/x3/mail/showmsg.html, /frontend/x3/mail/showq.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 91973
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cpanelpro/doscale.html, /frontend/paper_lantern/cpanelpro/doscale.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 91977
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cpanelpro/doconvert.html, /frontend/paper_lantern/cpanelpro/doconvert.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 91981
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cpanelpro/dothumbdir.html, /frontend/paper_lantern/cpanelpro/dothumbdir.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 92133
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/telnet/keys/dodelpkey.html, /frontend/paper_lantern/telnet/keys/dodelpkey.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 92157
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts/installfp, /scripts/uninstallfp
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 92421
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/ajax_mail_settings.html, /frontend/paper_lantern/mail/ajax_mail_settings.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 92593
Security Rating: Moderate
XSS Type: Reflected
Interface: cPanel
URLs: /cgi-sys/entropysearch.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 92829
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi-sys/defaultwebpage.cgi
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Shahee Mirza

Case: 93089
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mime/delredirectconfirm.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

Credits

These issues were discovered by the respective reporters listed above.

Solution

These issues are resolved in the following builds:

11.42.0.23
11.40.1.13
11.38.2.23

For the PGP-signed message, see: TSR-2014-0003-Full-Disclosure1.