cPanel TSR-2018-0003 Full Disclosure
SEC-393
Summary
API tokens retain ACLs that are removed from accounts.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Description
Starting with cPanel & WHM version 68, it became possible to limit the authorizations of a WHM API token to a subset of the ACLs assigned to the reseller account. The logic that implemented this behavior did not restrict API tokens to the ACLs that were currently assigned to the reseller account. This allowed a reseller to retain access to an ACL after the ACL was removed from the reseller’s account.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
SEC-394
Summary
Stored code execution injections in WHM cPAddons interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
Description
The cpaddons_report.pl script escaped user provided data with incorrect escaping functions in several places. This allowed cPanel users to cause unintended actions when the server administrator clicked links in the WHM cPaddons interfaces.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-395
Summary
Arbitrary file unlink via cPAddons moderation system.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Description
When the server administrator approves or denies a moderated cPAddons install, the moderation request file stored in the user’s home directory is removed. The file removal was performed with root privileges and could be misused by a local attacker to delete arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-396
Summary
Email injection in cPAddons moderation.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Description
The cPAddons moderation script did not adequately validate email addresses provided by the user when handling cPAddons moderation requests. This allowed an attacker to inject arbitrary header data into the moderation response email.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-398
Summary
Remote-Stored XSS in WHM cPAddons installation interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When installing a cPAddon in WHM the output was not properly escaped. This allowed an attacker to execute arbitrary code in the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-399
Summary
Remote-stored XSS in YUM autorepair functionality.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The EasyApache 3 build process attempts an automatic repair of the system’s YUM configuration if it appears broken. While downloading a replacement Yum repo file, error messages generated by the remote server were displayed to the user without context appropriate escaping. This allowed an attacker to insert arbitrary HTML into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-400
Summary
Remote-Stored XSS in WHM Save Theme Interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
During the download of cPanel-provided themes it was possible for attacker to inject arbitrary HTML into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-408
Summary
ClamAV installation reveals the contents of root’s crontab.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Description
When installing the ClamAV plugin, cron entries are added to root’s crontab to refresh the ClamAV virus database. This modification used a world-readable temporary file, allowing unprivileged users to read the contents of root’s crontab.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-421
Summary
Self-XSS in WHM Backup Configuration interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The backup destination validation alerts did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
SEC-427
Summary
Cron feature restriction not enforced for API calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
cPanel accounts without the “Cron” feature were allowed to view and manipulate cron by calling the Cron APIs and adminbins directly.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-429
Summary
Backup feature restriction not enforced for API calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Description
The “backupwizard” feature was removed from cPanel & WHM because it duplicated the role of the “backup” feature. When this feature was removed, the API calls that required either of the “backup” or “backupwizard” features became accessible to all users.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-430
Summary
Images feature restriction not enforced for API calls.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The “Images” feature that is used to control visibility of the “Images” icon in the cPanel interface was checked in an incorrect fashion by the API1 functions that perfom image modifications.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-432
Summary
Cpanel Mime::list_hotlinks API feature restriction not enforced.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The Mime::list_hotlinks API did not check the correct feature list item. This allowed users without the appropriate feature to access the API.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
SEC-435
Summary
Arbitrary file read in pkgacct custom template handling.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
It was possible to add arbitrary files, normally unreadable by unprivileged users, to a backup created by pkgacct by adding a custom Apache vhost template to unrelated files within the userdata directory.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47
For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/05/TSR-2018-0003.disclosure.signed.txt