Newsroom

cPanel TSR-2016-0002 Full Disclosure

cPanel TSR-2016-0002 Full Disclosure

SEC-31

Summary

Daemons can access their controlling TTY.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

Description

Daemonized code is not fully detached from from its parent process. This allows an attacker to control a TTY they do not own.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-75

Summary

scripts/addpop discloses password in process list.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description

The addpop and cpanel-email.pl scripts both expose passwords to other users via the process list when using the ‘–password’ flag. This behavior can be prevented by not using the ‘–password’ flag and entering the password during the execution of the script.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-88

Summary

Self XSS Vulnerability in X3 Reseller Branding Images.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The branding package name was not adequately encoded when used to generate a path to branded images. An attacker was able to take advantage of this to inject arbitrary code into the rendered pages.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-89

Summary

MakeText interpolation allows arbitrary code execution as root.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

Description

Before a reseller’s branding configuration was processed, an incomplete user switch was performed that allowed for a switch back to the root user. When combined with a specifically crafted MakeText interpolated string, arbitrary code can be run as the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-90

Summary

Unauthenticated arbitrary code execution via DNS NS entry poisoning.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Description

Under some configurations, the server fetched DNS nameserver settings from remote DNS servers when a domain alias is created. The retrieved nameserver records were used in an insecure manner, which allowed arbitrary code execution as root during the domain alias creation process.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-92

Summary

Bypass Security Policy by faking static documents.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

Description

It was possible to bypass any security policies by ending a request in a static document extension type. Now static document requests are checked to be valid before the document request is passed through.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-93

Summary

Bypass Two Factor Authentication with DNS clustering requests.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

Description

In certain environments it was possible to bypass two factor authentication by using connections established by a DNS cluster request. Now when a connection performs a DNS cluster request, only DNS cluster requests will be allowed on that connection.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-96

Summary

Self-Stored-XSS in WHM Edit System Mail Preferences.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Using the API command to set the forwarding email to a piped value was unescaped when displayed in WHM. This value is now escaped properly.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1

SEC-97

Summary

Arbitrary code execution via unsafe @INC path.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

Several perl scripts that are unlikely to be executed directly on cPanel & WHM systems were missed during the initial implementation of global @INC filtering in TSR-2016-0001.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-99

Summary

Arbitrary file read due to multipart form processing error.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N)

Description

The Cpanel::Form::parseform() function was found to mishandle multipart data fields in a way that allowed arbitrary files to be read in several WHM interfaces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-100

Summary

ACL bypass for AppConfig applications via magic_revision.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)

Description

The magic_revision component of a URL is not properly accounted for when determining if a particular URL belongs to an AppConfig registered application. Because of this, it is possible to bypass ACLs required to run the application.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-101

Summary

Force two factor auth check when possessing another account.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

Description

A high privileged reseller could bypass the two factor authentication security policy by possessing another account. Users will now need to enter their own two factor authentication token when logging in by possessing an account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20

SEC-102

Summary

FTP cPHulk bypass via account name munging.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The pureauth script used by PureFTPD performs some munging of the FTP username before verifying the password. The user name provided to cPHulkd is set before this munging occurs. When authenticating via FTP, cPHulkd does not consider usernames with different junk characters as the same user for each login attempt. Because of this, the login limit number is never reached and a block is never put into place.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-104

Summary

Username based blocking broken for PRE requests in cPHulkd.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Description

The cPHulk daemon no longer signals a failure when a username is blocked during a PRE action. If the IP address was not blocked, then a success message was sent unconditionally.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-105

Summary

Account suspension bypass via ftp.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

Description

Certain accounts could be added to FTP accounts via the API that are considered system wide accounts and are able to bypass the account being suspended. Hardening the check of the account now prevents the bypassing of account suspension.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-107

Summary

POP/IMAP cPHulk bypass via account name munging.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The cPanel email authentication performs some munging of the mail username before verifying the password. The username provided to cPHulkd is set before this munging occurs. When authenticating via mail, cPHulkd does not consider username with different junk characters as the same user for each login attempt. Because of this, the login limit number is never reached and a block is never put into place.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

SEC-108

Summary

Arbitrary file read when authenticating with caldav.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description

It was possible to send specially crafted authentication credentials to the caldav port that would allow you to read certain parts of the targeted file.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2

For the PGP-Signed version of this Disclosure please visit https://news.cpanel.com/wp-content/uploads/2016/03/TSR-2016-0002-disclosure.txt