cPanel TSR-2017-0005 Full Disclosure
SEC-276
Summary
SQL injection in eximstats processing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Description
When processing eximstats updates in buffered mode, errors in the SQL operations cause the updates to be reprocessed one statement at a time. The logic used to split multiple SQL statements back into individaul SQL statements was faulty. This resulted in data being processed as SQL commands.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
SEC-279
Summary
SSL hostname verification for support agreement download not enforced.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Description
There was no hostname verification for the support agreement download when creating a support ticket through WHM. This allowed for a user to be subject to a MITM attack.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
SEC-282
Summary
Stored XSS Vulnerability in WHM MySQL Password Change Interfaces.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
When changing the MySQL password for the root user, various scripts are called to update subsystems that rely on this password. One of these scripts updates the Roundcube databases and outputs a list of virtual email accounts. This list was not adequately encoded before displaying to the user and allowed an attacker to inject arbitrary code on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
SEC-283
Summary
cPanel backup interface could return a backup with all MySQL databases.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
With specific database names it was possible for a backup returned by getsqlbackup to contain all MySQL databases on the server, including databases the user did not own.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
SEC-284
Summary
User account backups could contain all MySQL databases on the server.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
With specific database names it was possible for an account backup to contain all MySQL databases on the server, including databases the user did not own.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
SEC-285
Summary
Addon domain conversion can copy all MySQL databases to the new account.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Description
It was possible for a reseller account to preform an addon domain conversion and the resulting account would be given a copy of every MySQL table on the server.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
SEC-296
Summary
Account rename can result in Apache logfiles becoming world-readable.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
When modifying the account’s main domain name, there was a small interval between when the Apache log files are renamed, and when httpd restarts. During this interval, if the site is accessed, Apache would create the logs as world-readable. This allowed for a leak of potentially sensitive data.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
SEC-299
Summary
Backup system overwrites root’s home directory when mount disappears.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
When performing an account backup, the backup script will chdir() to the backup directory. If a file system failure is occurring when this chdir() is made, it is possible for the directory to be changed to root’s home directory. This can allow for files within this directory to be overwritten.
Credits
This issue was discovered by NameCheap, Inc..
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
SEC-300
Summary
Open redirect in /unprotected/redirect.html.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Description
The goto_uri parameter of /unprotected/redirect.html could be used as an open redirect to a potentially harmful domain.
Credits
This issue was discovered by Fredrik Almroth.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
SEC-302
Summary
Code execution as mailman user due to faulty environmental variable filtering.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
The blacklist environmental variable filtering in Mailman allowed variables that could influence the operation of the Python interpreter. On cPanel & WHM systems, this faulty filtering allowed local users to run arbitrary code as the shared mailman user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
SEC-303
Summary
Arbitrary file overwrite via Roundcube SQLite schema update.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Description
During Roundcube SQLite schema updates, the SQLite database files were opened by root inside the user’s home directory. This could allow for arbitrary files to be created or overwritten on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
66.0.23
64.0.40
62.0.30
60.0.48
56.0.52
For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/09/TSR-2017-0005.disclosure.signed.txt