cPanel TSR-2016-0002 Full Disclosure
SEC-31
Summary
Daemons can access their controlling TTY.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Description
Daemonized code is not fully detached from from its parent process. This allows an attacker to control a TTY they do not own.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-75
Summary
scripts/addpop discloses password in process list.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Description
The addpop and cpanel-email.pl scripts both expose passwords to other users via the process list when using the ‘–password’ flag. This behavior can be prevented by not using the ‘–password’ flag and entering the password during the execution of the script.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-88
Summary
Self XSS Vulnerability in X3 Reseller Branding Images.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
The branding package name was not adequately encoded when used to generate a path to branded images. An attacker was able to take advantage of this to inject arbitrary code into the rendered pages.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-89
Summary
MakeText interpolation allows arbitrary code execution as root.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Description
Before a reseller’s branding configuration was processed, an incomplete user switch was performed that allowed for a switch back to the root user. When combined with a specifically crafted MakeText interpolated string, arbitrary code can be run as the root user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-90
Summary
Unauthenticated arbitrary code execution via DNS NS entry poisoning.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Description
Under some configurations, the server fetched DNS nameserver settings from remote DNS servers when a domain alias is created. The retrieved nameserver records were used in an insecure manner, which allowed arbitrary code execution as root during the domain alias creation process.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-92
Summary
Bypass Security Policy by faking static documents.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)
Description
It was possible to bypass any security policies by ending a request in a static document extension type. Now static document requests are checked to be valid before the document request is passed through.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-93
Summary
Bypass Two Factor Authentication with DNS clustering requests.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
Description
In certain environments it was possible to bypass two factor authentication by using connections established by a DNS cluster request. Now when a connection performs a DNS cluster request, only DNS cluster requests will be allowed on that connection.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-96
Summary
Self-Stored-XSS in WHM Edit System Mail Preferences.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
Using the API command to set the forwarding email to a piped value was unescaped when displayed in WHM. This value is now escaped properly.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
SEC-97
Summary
Arbitrary code execution via unsafe @INC path.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)
Description
Several perl scripts that are unlikely to be executed directly on cPanel & WHM systems were missed during the initial implementation of global @INC filtering in TSR-2016-0001.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-99
Summary
Arbitrary file read due to multipart form processing error.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N)
Description
The Cpanel::Form::parseform() function was found to mishandle multipart data fields in a way that allowed arbitrary files to be read in several WHM interfaces.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-100
Summary
ACL bypass for AppConfig applications via magic_revision.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Description
The magic_revision component of a URL is not properly accounted for when determining if a particular URL belongs to an AppConfig registered application. Because of this, it is possible to bypass ACLs required to run the application.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-101
Summary
Force two factor auth check when possessing another account.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
Description
A high privileged reseller could bypass the two factor authentication security policy by possessing another account. Users will now need to enter their own two factor authentication token when logging in by possessing an account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
SEC-102
Summary
FTP cPHulk bypass via account name munging.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
The pureauth script used by PureFTPD performs some munging of the FTP username before verifying the password. The user name provided to cPHulkd is set before this munging occurs. When authenticating via FTP, cPHulkd does not consider usernames with different junk characters as the same user for each login attempt. Because of this, the login limit number is never reached and a block is never put into place.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-104
Summary
Username based blocking broken for PRE requests in cPHulkd.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Description
The cPHulk daemon no longer signals a failure when a username is blocked during a PRE action. If the IP address was not blocked, then a success message was sent unconditionally.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-105
Summary
Account suspension bypass via ftp.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Description
Certain accounts could be added to FTP accounts via the API that are considered system wide accounts and are able to bypass the account being suspended. Hardening the check of the account now prevents the bypassing of account suspension.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-107
Summary
POP/IMAP cPHulk bypass via account name munging.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
The cPanel email authentication performs some munging of the mail username before verifying the password. The username provided to cPHulkd is set before this munging occurs. When authenticating via mail, cPHulkd does not consider username with different junk characters as the same user for each login attempt. Because of this, the login limit number is never reached and a block is never put into place.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
SEC-108
Summary
Arbitrary file read when authenticating with caldav.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Description
It was possible to send specially crafted authentication credentials to the caldav port that would allow you to read certain parts of the targeted file.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2
For the PGP-Signed version of this Disclosure please visit https://news.cpanel.com/wp-content/uploads/2016/03/TSR-2016-0002-disclosure.txt