cPanel TSR-2017-0003 Full Disclosure
SEC-234
Summary
Horde MySQL to SQLite conversion can leak database password.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
If the Horde MySQL to SQLite conversion script requires a password reset on the MySQL database, the new password was passed to the reset script as a command line argument. This password was visible to possible attackers in a `ps` process listing.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-236
Summary
Code execution for webmail and demo accounts with the store_filter API call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Description
Webmail and demo accounts are normally not allowed to perform code execution on a system. It was possible to circumvent this protection using the store_filter API call.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-237
Summary
Code execution as root via SET_VHOST_LANG_PACKAGE multilang adminbin call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
The SET_VHOST_LANG_PACKAGE command of the multilang adminbin did not adequately validate the package parameter passed to it. An attacker could pass in an arbitrary PHP package value, which allowed for arbitrary code to run as the root user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-238
Summary
Demo account code execution with BoxTrapper API.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Description
It was possible to use the BoxTrapper API as a demo user to upload files and execute them. The BoxTrapper API now forbids use by demo users.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-239
Summary
Demo account file read vulnerability in Fileman::getfileactions API2 call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.5 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
The Fileman::getfileactions API2 call allowed demo accounts users to read the contents of arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-240
Summary
Webmail account arbitrary code execution via forwarders.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Description
The cPanel API calls that allow modification of an account’s email forwarding settings did not properly sanitize the forwarding options that were provided. This allowed webmail accounts to inject shell commands into the forwarding system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-241
Summary
Webmail arbitrary file write with addforward API call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Description
A webmail user could use the addforward API1 call to setup an email forwarder to a file. This would allow the webmail user to write to any file location owned by the cPanel account. Now, webmail users can only add forwarders to valid email addresses.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
56.0.49
SEC-242
Summary
Demo account code execution through Encoding API calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The Encoding API calls relied on the guess_file_encoding script to determine the character encoding of the specified file. This script was vulnerable to XML External Entity attacks that could be escalated to full code execution with some inputs.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-243
Summary
Demo account code execution via ImageManager_dimensions API call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The ImageManager_dimensions API call invokes the ImageMagick identify utility. Due to possible vulnerabilities within the ImageMagick utilities, this could have been used to execute arbitrary code under a demo account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-244
Summary
Demo users have access to traceroute via api2.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
The traceroute api2 call was available to demo users, but the api1 traceroute call was blocked for those same users. Now, both api1 and api2 calls function in similar ways and block execution by demo users.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-245
Summary
Demo accounts able to redirect web traffic.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Description
The API1 commands to redirect the website traffic to parked domains were not implementing Demo mode restrictions correctly.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-246
Summary
Cpanel::SPFUI API commands are available to demo accounts.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
The Cpanel::SPFUI API commands are available to demo accounts. It was possible to use these API commands to change the SPF records for a demo domain. This allowed an attacker to send email for the domain on an external system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-247
Summary
Demo and suspended accounts allowed to port-forward via SSH.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Description
The shell configuration for Demo and Suspended accounts allowed traffic to forward through SSH. This has been addressed by adding these accounts to the “cpanelsuspended” and “cpaneldemo” groups, and explicitly blocking these groups in the sshd_config file.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-248
Summary
Cpanel SSH API commands are allowed for Demo accounts.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
The Cpanel SSH API commands are allowed for demo accounts. This allowed for demo users to generate, upload, and authorize SSH keys. This also allowed for changes to be made to the filesystem and could enable further attacks.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-249
Summary
Demo restrictions not enforced in SSL API calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The cPanel API1, API2 and UAPI calls for SSL operations in cPanel did not enforce demo mode restrictions correctly. This allowed demo accounts to modify the demo domain’s SSL configuration.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-250
Summary
File read and write for demo accounts in SourceIPCheck API.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Description
It was possible to use the SourceIPCheck API calls to read and write to files that the targeted demo account could access. Now, most SourceIPCheck API calls are no longer available to demo users.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-251
Summary
Code execution for Demo accounts via ClamScanner_getsocket API.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The ClamScanner_getsocket API command takes the location of the clamd binary as an argument. This is used as part of a shell command to find the current clamd socket file. It was possible to inject arbitrary shell commands into this argument, allowing for arbitrary code execution under Demo accounts.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-252
Summary
Limited file read via Serverinfo_manpage API call.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
The Serverinfo_manpage API call accepts a parameter to select the displayed manpage. This parameter is vulnerable to a path traversal attack. This potentially allowed for an attacker to read some files on the calling account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-254
Summary
Limited file rename as root via scripts/convert_roundcube_mysql2sqlite.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Description
The scripts/convert_roundcube_mysql2sqlite script calls out to shell commands via the system() function while in a reduced privileges state. If a user’s email virtual name contained special characters, the command would be invoked via the system shell. This would restore root privileges and invoke the command as root. This allowed for an attacker to rename files and/or copy them into a user accessible location.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-255
Summary
Limited file chmod in /scripts/convert_roundcube_mysql2sqlite.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.5 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Description
During the Roundcube SQLite conversion process, it was possible to chmod a limited set of files with elevated privileges by taking advantage of a race condition.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-257
Summary
User crontab publicly visible during cPAddon upgrades.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
The functionality for adding and removing cron jobs for cPAddons, exposed the user’s crontab by placing a copy in the user’s public Apache docroot.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-259
Summary
Code execution via Rails configuration files.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
The Ruby on Rails settings for an account were stored in the account’s userdata directory in a way that would conflict with identically named domains. This could be abused to inject arbitrary configuration data into the Apache configuration file.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-260
Summary
Supplemental groups lost during account renames.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
Description
During account modifications, the supplemental groups a user belonged to were not updated to reflect a changed user name. This could potentially leak access to sensitive groups to subsequent accounts created with the same username.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
64.0.21
62.0.24
60.0.43
58.0.49
56.0.49
SEC-262
Summary
Stored XSS in WHM cPAddons install interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.2 AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Description
When installing a cPAddon, if the installation of the cron jobs failed, the interface did not HTML encode the resulting error message. This could allow for arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.24
60.0.43
58.0.49
56.0.49
For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/05/TSR-2017-0003.disclosure.signed.txt