cPanel TSR-2015-0003 Full Disclosure
SEC-22
Summary
Access restrictions on mail routing information not properly enforced.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Description
The WHM, cPanel and Webmail interfaces each provide the ability to trace the route that email delivery takes. This routing information includes details about how email is routed internally on the server for local delivery destinations. Access restrictions were not correctly enforced in these interfaces, allowing users with limited privileges to view the private email routing details of other accounts.
Credits
This issue was discovered by Narendra Bhati.
Solution
This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5
SEC-26
Summary
Self XSS Vulnerability in File Manager Upload.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
Error messages generated during a file upload failure may contain the file name. In some circumstances, the file name was not correctly escaped. This allowed javascript in the filename to run in the web browser.
Credits
This issue was discovered by Jasminder Pal Singh.
Solution
This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5
SEC-27
Summary
Self Stored XSS in WHM Theme Manager.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
Theme names in the WHM Theme Manager interface were not properly HTML escaped when they were displayed.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5
SEC-32
Summary
External XML Entity vulnerability in cPanel WebDAV server.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Description
The method used to protect the cpdavd WebDAV server from XXE injections was incompatible with the version of libxml2 available on RedHat 5 and CentOS 5 systems. As a result, it was possible for a WebDAV virtual account to read arbitrary files in the home directory of the controlling cPanel account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5
SEC-33
Summary
Demo accounts allowed to download arbitrary files.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
A cPanel account in demo mode was allowed to download arbitrary files from the account’s home directory using the getbackup, getsysbackup, and download URLs. These URLs are now restricted to non-demo accounts.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5
SEC-34
Summary
Demo accounts allowed to upload temporary files in some interfaces.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)
Description
The Cpanel::Form module used by cPanel & WHM to parse HTTP parameters and file uploads is designed to prevent demo cPanel accounts from uploading any files to the system. This restriction was not correctly enforced for scripts in the ‘base/backend’ and ‘cgi-sys’ directories.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.48.4.4
11.46.3.6
11.44.3.5
You can view the PGP-Signed version of this message here: http://news.cpanel.com/wp-content/uploads/2015/05/TSR-2015-0003-Disclosure.txt