Newsroom

cPanel TSR-2023-0002 Full Disclosure

May 23, 2023

cPanel TSR-2023-0001 Full Disclosure

SEC-673

Summary

XSS vulnerability on ‘Repair a MySQL Database’ page in WHM

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of Severity: 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L Description

It was possible for a cPanel user to create a database with javascript in the name. Then, the javascript would be fetched and executed when the server admin loaded the ‘Repair a MySQL Database’ page via WHM.

Credits

This issue was discovered by Aliz Hammond of watchTowr.com.

Solution

This issue is resolved in the following builds:

11.112.0.1
11.110.0.6
11.108.0.16
11.102.0.33

SEC-672

Summary

Authenticated RCE for webmail virtual accounts

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

It is possible to craft a string that gets past the regex check performed via the deprecated Email::addforward API1 call. Subsequent calls to api1/api2/uapi calls to remove forwarders will remove the escape () characters in the string. This can turn the forwarder added with the string into a valid forwarder that allows for an RCE to the user’s cPanel account.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following builds:

11.112.0.1
11.110.0.6
11.108.0.16
11.102.0.33

SEC-670

Summary

HTTP request smuggling vulnerability in cpsrvd

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.

Description

‘cpanel::cpsrvd::read_socket_headers’ is susceptible to a race condition on keep-alive requests from unprotected documents where the original request headers contain a ‘Content-Length’ header. This can occur when the original request contains a smuggled request that causes the readline to hang while reading the socket due to waiting on the condition provided by $/ to be met. If a second keep-alive request comes in during this time, the entire keep-alive request can be appended to the smuggled request as part of its headers, thus causing the smuggled request to be processed when it should not have been.

Credits

This issue was discovered by Erik Ellsinger.

Solution

This issue is resolved in the following builds:

11.112.0.1
11.110.0.6
11.108.0.16
11.102.0.33

https://news.cpanel.com/wp-content/uploads/2023/05/TSR-2023-0002-Full-Disclosure.signed.txt