Newsroom

cPanel TSR-2016-0003 Full Disclosure

May 17, 2016

cPanel TSR-2016-0003 Full Disclosure

SEC-58

Summary

SQLite journal allowed for arbitrary file overwrite during Horde Restore.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.6 (AV:N/AC:H/Au:S/C:C/I:C/A:N)

Description

During a Horde restore using the old-style CSV data files, the SQLite database is opened as the user. However, actual writes were done as root, and SQLite does not open the journal file until these writes are made. This allowed the journal file to be opened as the root user permitting arbitrary files to be overwritten.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-109

Summary

Demo account arbitrary code execution via ajax_maketext_syntax_util.pl.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Description

A Demo account user could execute code by passing certain maketext functions to the ajax_maketext_syntax_util.pl script. Demo accounts are now restricted from using the aforementioned script.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-110

Summary

Self XSS Vulnerability in Paper Lantern Landing Page.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The return_url parameter passed to the Paper Lantern landing page was not sufficiently encoded. This allowed an attacker to execute arbitrary code on the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24

SEC-112

Summary

Limited denial of service via /scripts/killpvhost.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)

Description

The killpvhost script did not adequately escape the passed domain name when matching it against entries in the ProFTPD configuration file. By removing an account that contains regular expression metacharacters, an attacker could also cause the removal of a targeted account’s dedicated IP address FTP configuration.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-113

Summary

/scripts/addpop and /scripts/delpop exposed TTY’s.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

When running /scripts/addpop and /scripts/delpop, root’s TTY could be leaked to an unprivileged user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-114

Summary

/scripts/checkinfopages exposed TTY to unprivileged process.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

When running /scripts/checkinfopages root’s TTY could be leaked to an unprivileged user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-115

Summary

/scripts/maildir_converter exposed TTY to unprivileged process.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

When running /scripts/maildir_converter root’s TTY could be leaked to an unprivileged user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-116

Summary

/scripts/unsuspendacct exposed TTY’s.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

When running /scripts/unsuspendacct, root’s TTY could be leaked to an unprivileged user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-117

Summary

/scripts/enablefileprotect exposed TTY’s.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

When running /scripts/enablefileprotect, root’s TTY could be leaked to an unprivileged user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-118

Summary

Self-XSS in ftp account creation under addon domains.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Self-XSS existed in the FTP account creation section of the Addon Domain page due to unescaped HTML.

Credits

This issue was discovered by Saad Loukili.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24

SEC-119

Summary

Demo restriction breakout via show_template.stor.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

Description

Inconsistencies in the way cpsrvd handled the document parameter allowed for the show_template.stor script to be executed in an unexpected context. This allowed for arbitrary code to be executed under demo accounts.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-120

Summary

Arbitrary file read for Webmail accounts via Branding APIs.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

The cPanel API 1 Branding calls did not adequately validate the brandingpkg argument. This allowed for Webmail accounts to read arbitrary files under the owning cPanel account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-121

Summary

Webmail account arbitrary code execution through forwarders.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Description

The cPanel API calls that allow modification of an account’s email forwarding settings did not properly sanitize the provided forwarding options. This allowed Webmail accounts to inject shell commands into the forwarding system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-122

Summary

SSL certificate not verified during license updates.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Description

The SSL certificate of the cPanel license server was not verified during license update requests.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.54.0.24

SEC-123

Summary

SQL Injection via ModSecurity TailWatch log file.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Description

When generating SQL statements for the ModSecurity TailWatch log file (used in the case that mysqld is not able to communicate), the values inserted into the statement were not properly interpolated. This allowed for arbitrary SQL to be injected into the file, which the admin of the server would then be prompted to run.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

SEC-124

Summary

Log file permissions not set correctly in dnsadmin-startup and spamd-startup.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description

When creating new log files, dnsadmin-startup and spamd-startup opened them with default world-readable permissions. This allows for potential leak of sensitive information.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15

SEC-125

Summary

User log files become world-readable when rotated by cpanellogd.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

When rotating user log files, cpanellogd created the new empty files with world readable permissions. This could potentially allow for an attacker to read sensitive information.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.56.0.15
11.54.0.24
11.52.6.1
11.50.6.2

For the PGP-Signed version of this document please visit https://news.cpanel.com/wp-content/uploads/2016/05/TSR-2016-0003-disclosure.txt.