Newsroom

cPanel TSR-2018-0002 Full Disclosure

March 20, 2018

cPanel TSR-2018-0002 Full Disclosure

SEC-338

Summary

Arbitrary file chmod during legacy incremental backups.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Description

It was possible for a user to prepare their home directory in a way that after a series of incremental backups they could chmod arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-357

Summary

Self-XSS in WHM cPAddons showsecurity Interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The addon parameter to the cPAddons showsecurity interface is not adequately encoded when included in the final rendered page. This allowed for arbitrary scripts to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33

SEC-359

Summary

Code execution via ‘.’ in @INC during perl syntax check of cpaddonsup.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Description

The syntax check performed during /scripts/cpaddonsup did not use the fully qualified path to the cPanel distributed perl interpreter. This could allow an attacker to execute arbitrary code if root executed this script in a user controlled directory.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-362

Summary

Demo account code execution via awstats.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The awstats application can be abused to execute arbitrary code on the server. This can be used by demo accounts to execute arbitrary code.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-364

Summary

Root accesshash revealed by WHM /cgi/trustclustermaster.cgi.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

Description

A logic error in /cgi/trustclustermaster.cgi potentially exposed root’s accesshash when executed by a reseller with the DNS Clustering ACL.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-368

Summary

OpenID providers can inject arbitrary data into cPanel session files.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Description

cPanel session files are not capable of handling values including newlines. When linking accounts, OpenID Connect provider data is directly passed from the remote provider into the session. If this data includes a newline, it is possible to corrupt the session, allowing login to non-linked accounts.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-369

Summary

Stored XSS in WHM Edit DNS Zone.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

When saving a modified DNS zone, the MX records are parsed in order to reconfigure mail routing. This parsing process is not correct and processes non-MX records by mistake. This in combination with insufficient encoding of output error messages allowed for an attacker to inject arbitrary code into the rendered page when a DNS zone is saved.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-370

Summary

Stored XSS in WHM Edit MX Entry.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

When saving a modified MX record, the MX records are parsed in order to reconfigure mail routing. This parsing process is not correct and processes non-MX records by mistake. This in combination with insufficient encoding of output error messages allowed for an attacker to inject arbitrary code into the rendered page when a MX record is saved.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-372

Summary

Remote Stored XSS in WHM DNS Cluster.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When viewing the list of currently configured DNS Cluster server members, the server version did not perform context appropriate escaping. This could allow an attacker to execute arbitrary code in the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-373

Summary

Remote Stored XSS in WHM Create Account.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When creating an account while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-374

Summary

Remote Stored XSS in WHM Edit DNS Zone.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When editing DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-375

Summary

Remote Stored XSS in WHM Delete a DNS Zone.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When deleting DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-376

Summary

Remote Stored XSS in WHM DNS Cleanup.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When cleaning up DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-377

Summary

Remote Stored XSS in WHM Synchronize DNS Records.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When syncing DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-378

Summary

Arbitrary file read and unlink via WHM style uploads.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.6 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Description

A logic error in the handling of file uploads allowed attackers with the “manage-styles” ACL to read or unlink any file on the server with root’s effective permissions.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-379

Summary

Local privilege escalation via WHM Legacy Language File Upload interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

A logic error in the handling of file uploads allowed attackers with the “locale-edit” ACL to read, write and chmod files with root’s effective permissions. A local attacker could misuse this behavior to run arbitrary code at the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-380

Summary

Local privilege escalation via WHM Locale XML Upload interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

A logic error in the handling of file uploads allowed attackers with the “locale-edit” ACL to read, write and chmod files with root’s effective permissions. A local attacker could misuse this behavior to run arbitrary code at the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-382

Summary

Jailshell breakout via incorrect crontab parsing.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Description

There was a mismatch between what the crontab daemon considers whitespace versus the validation applied against new cron entries. This allowed for an attacker to set entries to be run by an arbitrary shell resulting in escape from jailshell.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-391

Summary

Remote Stored XSS in cpaddons vendor interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When adding a 3rd party vendor to the cpaddons interface, the output was not properly escaped. This allowed remotely stored malicious files to execute arbitrary code in the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-392

Summary

Open redirect via /unprotected/redirect.html endpoint.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Description

The redirect script present at /unprotected/redirect.html does not adequately validate the redirect path parameter. This allowed for a redirect to arbitrary URLs.

Credits

This issue was discovered by Georgi Vasilev of siteground.com.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-401

Summary

Htaccess restrictions bypass when “Htaccess Optimization” enabled.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

The “Htaccess Optimization” functionality introduced in cPanel & WHM version 66 allowed the bypassing of account suspensions and .htaccess based access controls with some configurations. This funtionality has been disabled and will be replaced with an alternative optimization method in a future update.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33

SEC-405

Summary

Demo account code execution via cPanel Landing Page.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Description

The app_name parameter used in the cPanel Landing Page template could be abused to additionally process a template controlled by a cPanel user. This can be used by demo accounts to execute arbitrary code.

Credits

This issue was discovered by Fabian Patrik of websafe.hu.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-406

Summary

Apache logs exposed by creation of certain domains.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Description

A reseller could create a domain that would use and change ownership of already existing domain log files. These domains use the “.localhost” TLD. It is no longer possible to create a domain with the aforementioned TLD.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-410

Summary

Stored XSS in WHM Edit DNS Zone.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

When editing a DNS zone, error messages for a zone that can not be parsed correctly are returned to the user. These error messages are not sufficiently encoded. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-411

Summary

Email account suspensions can be applied to unowned accounts.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description

It was possible for a user to suspend or unsuspend email accounts they did not own by taking advantage of email account names that contained newlines.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-412

Summary

Stored XSS in WHM Reset a DNS Zone.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

When resetting a DNS zone, error messages for a zone that can not be parsed correctly are returned to the user. These error messages are not sufficiently encoded. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42

SEC-371

Summary

Any user is able to shut down Solr.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

The solr daemon stop key is passed to the daemon on the command line when it is started. This value is visible in the process listing when the daemon is running. Other users are able to see this, allowing a potential attacker to shutdown the daemon at any time.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.23
68.0.33

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/03/TSR-2018-0002.disclosure.signed.txt