Case 108965

Summary

Bypass of account suspension via mod_userdir.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The fix for case 101677 in TSR-2014-0005 introduced a regression in account suspensions that allowed the web content of a suspended account to be viewed normally via Apache userdir style URLs. This has been corrected so that both NameVirtualHost and userdir access to the suspended account’s web content is blocked.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.44.1.11
11.42.1.25
11.40.1.20

For the PGP-signed message, see: http://cpanel.net/wp-content/uploads/2014/08/TSR-2014-0006-Full-Disclosure.txt