Newsroom

cPanel TSR-2015-0003 Full Disclosure

cPanel TSR-2015-0003 Full Disclosure

SEC-22

Summary

Access restrictions on mail routing information not properly enforced.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

The WHM, cPanel and Webmail interfaces each provide the ability to trace the route that email delivery takes. This routing information includes details about how email is routed internally on the server for local delivery destinations. Access restrictions were not correctly enforced in these interfaces, allowing users with limited privileges to view the private email routing details of other accounts.

Credits

This issue was discovered by Narendra Bhati.

Solution

This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5

SEC-26

Summary

Self XSS Vulnerability in File Manager Upload.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Error messages generated during a file upload failure may contain the file name. In some circumstances, the file name was not correctly escaped. This allowed javascript in the filename to run in the web browser.

Credits

This issue was discovered by Jasminder Pal Singh.

Solution

This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5

SEC-27

Summary

Self Stored XSS in WHM Theme Manager.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Theme names in the WHM Theme Manager interface were not properly HTML escaped when they were displayed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5

SEC-32

Summary

External XML Entity vulnerability in cPanel WebDAV server.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description

The method used to protect the cpdavd WebDAV server from XXE injections was incompatible with the version of libxml2 available on RedHat 5 and CentOS 5 systems. As a result, it was possible for a WebDAV virtual account to read arbitrary files in the home directory of the controlling cPanel account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5

SEC-33

Summary

Demo accounts allowed to download arbitrary files.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

A cPanel account in demo mode was allowed to download arbitrary files from the account’s home directory using the getbackup, getsysbackup, and download URLs. These URLs are now restricted to non-demo accounts.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5

SEC-34

Summary

Demo accounts allowed to upload temporary files in some interfaces.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)

Description

The Cpanel::Form module used by cPanel & WHM to parse HTTP parameters and file uploads is designed to prevent demo cPanel accounts from uploading any files to the system. This restriction was not correctly enforced for scripts in the ‘base/backend’ and ‘cgi-sys’ directories.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5

 

You can view the PGP-Signed version of this message here: http://news.cpanel.com/wp-content/uploads/2015/05/TSR-2015-0003-Disclosure.txt