Newsroom

cPanel TSR-2017-0004 Full Disclosure

cPanel TSR-2017-0004 Full Disclosure

SEC-263

Summary

Stored XSS during WHM cPAddons install.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

It was possible for an attacker to actively inject HTML into the WHM cPAddons screen during a moderated install.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-264

Summary

Stored XSS during WHM cPAddons upgrades.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

While performing cPAddon upgrades in WHM, output from the upgrade script was displayed without HTML escaping.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.27
60.0.45
58.0.52
56.0.51

SEC-265

Summary

Stored XSS during WHM cPAddons file operations.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

It was possible for an attacker to actively inject HTML into the WHM cPAddons screen when the installation process did certain ‘chmod’ and ‘chown’ operations.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-266

Summary

Stored XSS during WHM cPAddons uninstallation.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

While performing cPAddon uninstalls in WHM, output from the ‘rm’ command was displayed without HTML escaping. This could allow for arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-267

Summary

Stored XSS during WHM cPAddons cron operations.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

During the WHM cPAddons install and uninstall processes, output from the ‘crontab’ command was not sufficiently HTML escaped.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.27
60.0.45
58.0.52
56.0.51

SEC-268

Summary

Stored XSS during moderated WHM cPAddons installation.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

While performing cPAddon installs in WHM, output from the ‘chgrp’ command was displayed without HTML escaping.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.27
60.0.45
58.0.52
56.0.51

SEC-269

Summary

Stored XSS in WHM cPAddons processing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

The cPAddons interfaces relied on a temporary file inside the user’s home directory to buffer HTML output. When a reseller made cPAddons changes inside of the WHM interfaces for the user, this allowed the injection of HTML into the interface.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-271

Summary

Demo accounts allowed to create databases and users.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Description

The mysql adminbin allowed demo accounts to create and delete databases and users.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45

SEC-272

Summary

EasyApache 4 conversion sets loose domlog ownership and permissions.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

The conversion from EasyApache 3 to EasyApache 4 does not move virtualhost domlogs from the old location to the new location. This results in the logs being recreated by Apache with default world-readable permissions. The conversion script will now create the log files as necessary to ensure correct permissions and ownership are maintained.

Credits

This issue was discovered by Alex Kwiecinski of the Liquid Web Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-273

Summary

Domain log files become readable after log processing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

When Apache was configured with piped-logging and the domain log files were processed by cpanellogd, the logfiles would be left with world-readable permissions.

Credits

This issue was discovered by Alex Kwiecinski.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-274

Summary

Apache configuration file changed to world-readable when rebuilt.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Changes to the Cpanel::AdvConfig module resulted in all AdvConfig managed subsystems getting world-readable configuration files when they were rebuilt. Cpanel::AdvConfig now defaults to the existing file permissions whenever the optional _target_conf_perms argument is not supplied.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45

SEC-280

Summary

The cpdavd_error_log can be created with insecure permissions.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

If the cpdavd_error_log file is missing when cpdavd starts, then it is possible for it to be created with world-readable permissions. It is possible for sensitive data to be contained within this log. The permissions on this file are now reduced.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-288

Summary

Resellers can read other accounts domain log files.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Description

Under certain situations domain log files are backed up with the file extensions “.bkup”, “.bkup2” and “.offset”. A reseller could create a domain with those extensions as a top level domain and gain access to read other user’s domain log files. The aforementioned top level domains are no longer allowed during account creation.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-289

Summary

Insecure log file permissions after account modification.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

When changing the main domain name of the account, the log files for that domain were not renamed. This resulted in world-readable log files when Apache was restarted.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-290

Summary

Apache domlogs become temporarily world-readable during log processing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

During log processing, the Apache domain log files were moved out of their normal location. This created a race condition where any restart of Apache would log to the normal log file location with insecure permissions.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-291

Summary

Apache SSL domain logs left behind after account termination.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

The Apache logs for an account’s SSL domain and subdomains were left behind by the account termination process. Resellers could recreate the deleted domains to gain access to the log data.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-294

Summary

Corrupted user and group ownership when using ‘reassign_post_terminate_cruft’.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Description

Under very specific file tree structures, it was possible for the script ‘reassign_post_terminate_cruft’ to corrupt the user and group ownership of symlinks.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

SEC-297

Summary

Self XSS Vulnerability in WHM Upload Locale interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When uploading a locale file in the WHM Upload Locale interface, page output containing the uploaded file name was not adequately escaped. This could allow for arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by Vahagn Vardanyan.

Solution

This issue is resolved in the following builds:
66.0.2
64.0.33
62.0.27
60.0.45
58.0.52
56.0.51

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/07/TSR-2017-0004.disclosure.signed.txt