Summary
Feature requirements not enforced correctly by adminbins.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Description
Several adminbin scripts did not properly verify the features enabled for the cPanel account running the adminbin script. This allowed cPanel users to perform some configuration functions that were disabled for the account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8
Summary
Arbitrary file overwrite via cpbackup-exclude.conf lock file.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)
Description
The cPanel & WHM account backup system allows users to exclude files from backups by placing a file named cpbackup-exclude.conf in the user’s home directory. During backup operations, this file was locked, opened, and read by root. An attacker could leverage this behavior to overwrite arbitrary files on the system.
Credits
This issue was discovered by RACK911Labs.com.
Solution
This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8
Summary
Arbitrary code execution via relative RPATH in PostgreSQL binaries.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
Description
The incorrect LDFLAGS were passed to the PostgreSQL build process. This resulted in an invalid RPATH being added to the PostgreSQL shared objects and binaries used by cPanel & WHM. An attacker could use this flaw to execute arbitrary code if the binaries or libraries were loaded inside of the attacker’s home directory.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8
Summary
Disclosure of files owned by nobody.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
The cPanel & WHM account backup system records a list of files inside the user’s home directory that are owned by the ‘nobody’ user. The list was generated while running with root privileges. This behavior allowed an attacker to discover the locations of files owned by the ‘nobody’ user inside paths the attacker could not traverse.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8
Summary
Arbitrary file overwrite via passwordforce lock file.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)
Description
The forcepasswordchange WHM API call locks, reads, and writes the ‘passwordforce’ file inside a user’s home directory. These operations were performed with root privileges, which allowed an attacker to overwrite arbitrary files on the system.
Credits
This issue was discovered by RACK911Labs.com.
Solution
This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8
Summary
Arbitrary file append by updating an account’s password.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)
Description
When updating an account’s password, the .my.cnf file in a user’s home directory will be updated with the accounts new password. The modification of the .my.cnf file was being performed with root privileges, which allowed an attacker to append this data to other sensitive files on the system.
Credits
This issue was discovered by RACK911Labs.com.
Solution
This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8
Summary
Email sending limits not enforced in jailshell.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Description
The email limits for an account are tracked using file in the /var/cpanel/email_send_limits directory. Inside a jailshell environment this directory was mounted read-only, preventing EXIM from enforcing the configured mail rate limits.
Credits
This issue was discovered by Matt Sheldon.
Solution
This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8
Summary
ModSecurity rules not enforced on default virtualhost.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Description
ModSecurity filtering is disabled for web traffic passed to the cPanel, WHM, and Webmail interfaces through proxydomains. The configuration directives used for this purpose incorrectly disabled ModSecurity filtering for all HTTP traffic directed at the server hostname or userdir URLs.
Credits
This issue was discovered by Alex Kwiecinski.
Solution
This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8
For the signed PGP version: http://news.cpanel.com/wp-content/uploads/2015/07/TSR-2015-0004-Disclosure.txt.