cPanel TSR-2018-0001 Full Disclosure
SEC-308
Summary
SRS secret revealed in exim.conf.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
When the experimental SRS option for Exim was enabled, the secret key used to sign SRS email was visible inside the exim.conf file. This setting is now stored in a separate file that is not world-readable.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-321
Summary
Database and dbuser names were not validated during renames.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
When renaming a database or database user via either the MySQL or PostgreSQL adminbins, the new name was not verified to meet cPanel’s naming requirements. This allowed an attacker to create databases or database users with reserved or invalid names.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-324
Summary
Ownership not enforced by addpkgext and delpkgext WHM API calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Description
The “addpkgext” and “delpkgext” WHM API calls did not restrict modifications to packages and accounts that the reseller was authorized to change. These API calls now restrict modifications based on package and account ownership if the reseller does not have the “all” ACL.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.27
SEC-339
Summary
Backups revealed contents of directories that the user did not own.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Description
During a backup it was possible to lead the process into directories that the user did not own. The file and directory paths would then be saved to a file that was readable by the user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-342
Summary
Root’s crontab briefly world-readable when enabling backups.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
When enabling backups, it is sometimes necessary to add new entries to root’s crontab. To perform this change, a temporary file was created with a predictable name and world-readable permissions. This allowed the crontab to be read by normal users during this action.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-349
Summary
Arbitrary file read via restore adminbin.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
Race conditions in the RESTOREFILE functionality of the restore adminbin could be misused by local attackers to read any files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.27
SEC-351
Summary
Root’s crontab briefly world-readable during crontab configuration.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
When saving changes to root’s crontab through the “Configure cPanel Cron Jobs” interface in WHM, a temporary file containing root’s crontab was created with world-readable permissions.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-352
Summary
Root’s crontab briefly world-readable during post update tasks.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
During cPanel updates, root’s crontab was exposed in a world-readable temporary file by the post install task to update cPAddons.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-353
Summary
World-readable copy of httpd.conf created during syntax test.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
During httpd.conf updates on systems using EasyApache4, a copy of the httpd.conf file was created with world-readable permissions.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-354
Summary
Insecure file operations in bin/csvprocess.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Description
The csvprocess script performed file operations on predictably named files in the current working directory. If this script was run by the root user in a user-controlled directory, it was possible for an attacker to cause root owned files to be overwritten. This script has been removed and its functionality moved into the API call that previously utilized this script.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-355
Summary
World-readable archive created by archive_sync_zones script.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
When scripts/archive_sync_zones generated a backup file, the resulting archive was created with world-readable permissions.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-356
Summary
Limited arbitrary file write via telnetcrt script.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Description
The telnetcrt script attempted to change directory to a safe location to write temporary files without verifying the directory existed or that the change of directory was successful. If this script was run manually in a world-writable directory, a local attacker could symlink the temporary filenames to unsafe locations. This script is no longer used by cPanel and has been removed.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-383
Summary
Self-XSS in cPanel Backup Restoration.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When rendering the list of files that are restored from a partial backup, appropriate HTML escaping was not performed. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by Fabian Patrik of https://websafe.hu.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-385
Summary
Self-XSS in WHM Apache Configuration Include Editor.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When rendering invalid syntax after saving new Apache includes, the context appropriate escaping was not performed. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by Fabian Patrik of https://websafe.hu.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-386
Summary
Self-Stored-XSS in WHM Account Transfer.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
Account usernames were not properly HTML escaped in the transfer log header when using the Remote User Account Transfer interface in WHM. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by Fabian Patrik of https://websafe.hu.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-387
Summary
Self-XSS in WHM Spamd Startup Config.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When saving spamd directives in WHM Spamd Startup Config, invalid configuration values were displayed without appropriate HTML escaping. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by Fabian Patrik of https://websafe.hu.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-388
Summary
World-readable files created when using WHM Apache Includes Editor.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
When modifying the Apache Includes via the WHM Apache Includes Editor, the new configuration is created with world-readable permissions. This allowed for this configuration to be viewed by non-privileged users.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
SEC-389
Summary
Self-XSS in WHM listips interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The WHM /scripts2/listips interface did not escape user input and backend error messages when displaying javascript notices.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39
For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/01/TSR-2018-0001.disclosure.signed.txt