Newsroom

cPanel TSR-2015-0006 Full Disclosure

November 17, 2015

cPanel TSR-2015-0006 Full Disclosure

SEC-29

Summary

Sensitive data revealed to subaccounts through comet feeds.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

Description

A reseller account could read the comet data intended for the root account and other reseller accounts by subscribing to the wildcard comet channel. Webmail users could similarly read data intended for the cPanel account to which they belonged. All comet data in cPanel, WHM, and Webmail is now restricted to the specific account that created the data.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.52.1.1
11.52.0.23
11.50.3.1
11.48.4.8

SEC-60

Summary

Email sending limit bypass.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)

Description

The configured email rate limits for an account were not enforced correctly when the account relayed email using an empty envelope sender address.

Credits

This issue was discovered by Matt Sheldon.

Solution

This issue is resolved in the following builds:
11.52.1.1
11.52.0.23
11.50.3.1
11.48.4.8

SEC-64

Summary

Unauthenticated arbitrary code execution via DNS NS entry poisoning.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Description

Under some configurations, the server fetches DNS nameserver settings from remote DNS servers when an account is created. The retrieved nameserver records were used in an insecure manner, allowing arbitrary code execution as root during the account creation process.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.52.1.1
11.52.0.23
11.50.3.1
11.48.4.8

SEC-65

Summary

Unauthorized password changes via Webmail API commands.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)

Description

Inconsistencies in the way Webmail API calls separated email addresses into local and domain portions allowed Webmail users to change the passwords of some other accounts on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.52.1.1
11.52.0.23
11.50.3.1
11.48.4.8

SEC-66

Summary

WHM API allows for unauthorized zone modification.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 5.5 (AV:N/AC:L/Au:S/C:N/I:P/A:P)

Description

Incorrect handling of the ‘zone’ argument during ownership checks in multiple WHM API calls allowed for unauthorized zone modifications.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.52.1.1
11.52.0.23
11.50.3.1
11.48.4.8

The PGP-Signed version of this disclosure is located here: https://news.cpanel.com/wp-content/uploads/2015/11/TSR-2015-0006-Disclosure.txt