cPanel TSR-2016-0006 Full Disclosure
SEC-158
Summary
Arbitrary file overwrite when account domain is modified.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)
Description
When an account’s domain name is modified, changes to the .htaccess file were performed as root. It was possible to take advantage of this in order to overwrite arbitrary files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
11.54.0.33
SEC-159
Summary
Stored XSS in WHM Repair Mailbox Permissions interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
The output of the mailperm script that repairs permissions of mailbox related files did not properly escape file and directory names.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-160
Summary
Stored XSS Vulnerability in the WHM Manage cPAddons interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
The cpaddons_report.cgi script was not properly escaping output when performing cPAddons management operations in WHM.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
11.54.0.33
SEC-161
Summary
File overwrite during preparation for MySQL upgrades.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:N/I:C/A:N)
Description
Before performing a MySQL upgrade the existing my.cnf is checked and updated with new values if needed. During this process it was possible for an unprivileged user to overwrite existing files. Now the handling of the my.cnf file is done in a secure directory to prevent any tampering.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-162
Summary
Open redirect via /cgi-sys/FormMail-clone.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
There was an open redirect in the missing_fields_redirect parameter in FormMail-clone.cgi.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-164
Summary
Arbitrary file overwrites when updating Roundcube.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)
Description
When updating Roundcube, file operations are performed in the user’s home directory as root. It was possible to take advantage of this in order to overwrite arbitrary files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-165
Summary
File create and chmod via ModSecurity Audit logfile processing.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Description
The archiving and removal of per-user ModSecurity audit records was not assuring that the user’s directory was the correct type and ownership. This allowed creating files and changing the permissions of files as the target user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-168
Summary
Enforce feature list restrictions when calling the multilang adminbin.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 1.7 (AV:L/AC:L/Au:S/C:N/I:P/A:N)
Description
The multilang adminbin did not check if the calling user had the multilang feature enabled.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-169
Summary
Arbitrary code execution for ACL limited resellers during account creation.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)
Description
A flaw in the new account creation process resulted the Ruby ‘gem’ command running with the effective UID of the newly created user and the real UID of root. A malicious reseller account could leverage this flaw to execute arbitrary Ruby code with root’s UID during the account creation process.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
SEC-171
Summary
Format string injection in exception message handling.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
Description
The error messages generated by adminbin failures were passed through Locale::Maketext multiple times. This caused user-supplied data to be used as a format string.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
SEC-172
Summary
Self XSS Vulnerability in the tail_ea4_migration.cgi interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
The error output in the interface of the EasyApache 4 migration log in WHM was not properly encoded. This allowed an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
SEC-173
Summary
Arbitrary file chown via reassign_post_terminate_cruft.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:C/I:N/A:N)
Description
The reassign_post_terminate_cruft script did not adequately prevent changes being made to directories it is operating on. This allowed for an attacker to change the ownership of an arbitrary file.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-174
Summary
Stored XSS in homedir removal during WHM Account termination.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
During account termination within WHM the error output during home directory removal was not encoded correctly.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-175
Summary
Stored XSS in MySQL database names during WHM Account termination.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
The output of MySQL database names were not properly escaped during the account termination process.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
11.54.0.33
SEC-176
Summary
Stored XSS in perlinstaller directory removal in WHM Account Termination.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
During the account termination within WHM the error output during the perlinstaller directory removal was not encoded correctly.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
11.54.0.33
SEC-177
Summary
Self-XSS Vulnerability in WHM Tweak Settings for autodiscover_host.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
The WHM Tweak Settings interface for the the autodiscover_host configuration value can produce an error message that was not adequately encoded. This could allow an attacker to execute arbitrary code on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-178
Summary
Self-Stored XSS Vulnerability in listftpstable API.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
The listftpstable API call did not adequately encode the FTP account’s home directory. This allowed an attacker to inject arbitrary code into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-179
Summary
Stored XSS in api1_listautoresponders.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
In custom themes, a call to api1_listautoresponders could produce output provided by an attacker via Webmail to the cPanel user that was not properly encoded.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-180
Summary
Self-XSS Vulnerability in UI_confirm API.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
The UI_confirm API call did not adequately encode form element names. This allowed for an attacker to inject arbitrary code into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-181
Summary
Self-Stored XSS in postgres API1 listdbs.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
Database names were not properly HTML encoded when listed by the Postgres listdbs api1 call.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-182
Summary
Self-Stored XSS in SSL_listkeys.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Description
In a deprecated API1 call to list SSL keys content could be printed out that was not properly encoded.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-184
Summary
Self-XSS in alias upload interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
An improperly named alias backup file uploaded to cPanel could produce an error message that was not properly encoded.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-185
Summary
Sensitive file contents revealed during file copy operations.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)
Description
The Cpanel::FileUtils::Copy::safecopy() function did not preserve the source file’s permissions during copy operations. This allowed other users to read sensitive files while the file copy was taking place.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-186
Summary
Apache SSL keys readable by the nobody group.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Description
Apache SSL private key files were readable by the nobody group. This allowed unprivileged users to read the keys under certain Apache configurations.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-187
Summary
Host Access Control improperly handles action-less host.deny entries.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)
Description
Manually added entries to /etc/hosts.deny without an action specified were converted to allow action when the Host Access Control Page in WHM was used.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-188
Summary
Arbitrary code execution via Maketext in PostgreSQL adminbin.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)
Description
In an error condition, the PostgreSQL adminbin passed user controlled text as part of a Locale::Maketext format string. By triggering an error in an SQL query used by the adminbin, it was possible to execute arbitrary code as root.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-191
Summary
Code execution via cpsrvd 403 response handler.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
Description
In some error conditions, cpsrvd used the requested filename in a Locale::Maketext format string while generating 403 responses.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
SEC-192
Summary
HTTP POST to listinput.cpanel.net does not use TLS.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Description
subscribe_to_mailing_list did not use HTTPS which could have allowed the leaking of email addresses.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33
For the PGP-Signed version of this disclosure please visit https://news.cpanel.com/wp-content/uploads/2016/11/TSR-2016-0006.disclosure.txt