Shell code injection via translatable phrases in Cpanel::Locale
cPanel has assigned a Security Level of “Important” to this vulnerability.
The Cpanel::Locale module wraps around Perl’s Locale::Maketext module and extends it to provide additional Maketext tags and functionality. Locale::Maketext is used to render translatable phrases into a user’s chosen locale. cPanel & WHM uses this module to display all translatable phrases in the cPanel, WHM and Webmail interfaces.
The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized userinput to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.
This vulnerability was discovered by the cPanel Quality Assurance Team.
This issue is resolved in the following builds:
* 126.96.36.199 and greater
* 188.8.131.52 and greater
* 184.108.40.206 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.