Newsroom

cPanel TSR-2018-0003 Full Disclosure

cPanel TSR-2018-0003 Full Disclosure

SEC-393

Summary

API tokens retain ACLs that are removed from accounts.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Description

Starting with cPanel & WHM version 68, it became possible to limit the authorizations of a WHM API token to a subset of the ACLs assigned to the reseller account. The logic that implemented this behavior did not restrict API tokens to the ACLs that were currently assigned to the reseller account. This allowed a reseller to retain access to an ACL after the ACL was removed from the reseller’s account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39

SEC-394

Summary

Stored code execution injections in WHM cPAddons interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L

Description

The cpaddons_report.pl script escaped user provided data with incorrect escaping functions in several places. This allowed cPanel users to cause unintended actions when the server administrator clicked links in the WHM cPaddons interfaces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-395

Summary

Arbitrary file unlink via cPAddons moderation system.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Description

When the server administrator approves or denies a moderated cPAddons install, the moderation request file stored in the user’s home directory is removed. The file removal was performed with root privileges and could be misused by a local attacker to delete arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-396

Summary

Email injection in cPAddons moderation.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

The cPAddons moderation script did not adequately validate email addresses provided by the user when handling cPAddons moderation requests. This allowed an attacker to inject arbitrary header data into the moderation response email.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-398

Summary

Remote-Stored XSS in WHM cPAddons installation interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When installing a cPAddon in WHM the output was not properly escaped. This allowed an attacker to execute arbitrary code in the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-399

Summary

Remote-stored XSS in YUM autorepair functionality.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The EasyApache 3 build process attempts an automatic repair of the system’s YUM configuration if it appears broken. While downloading a replacement Yum repo file, error messages generated by the remote server were displayed to the user without context appropriate escaping. This allowed an attacker to insert arbitrary HTML into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-400

Summary

Remote-Stored XSS in WHM Save Theme Interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

During the download of cPanel-provided themes it was possible for attacker to inject arbitrary HTML into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-408

Summary

ClamAV installation reveals the contents of root’s crontab.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

When installing the ClamAV plugin, cron entries are added to root’s crontab to refresh the ClamAV virus database. This modification used a world-readable temporary file, allowing unprivileged users to read the contents of root’s crontab.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-421

Summary

Self-XSS in WHM Backup Configuration interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The backup destination validation alerts did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43

SEC-427

Summary

Cron feature restriction not enforced for API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

cPanel accounts without the “Cron” feature were allowed to view and manipulate cron by calling the Cron APIs and adminbins directly.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-429

Summary

Backup feature restriction not enforced for API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

The “backupwizard” feature was removed from cPanel & WHM because it duplicated the role of the “backup” feature. When this feature was removed, the API calls that required either of the “backup” or “backupwizard” features became accessible to all users.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-430

Summary

Images feature restriction not enforced for API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The “Images” feature that is used to control visibility of the “Images” icon in the cPanel interface was checked in an incorrect fashion by the API1 functions that perfom image modifications.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-432

Summary

Cpanel Mime::list_hotlinks API feature restriction not enforced.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The Mime::list_hotlinks API did not check the correct feature list item. This allowed users without the appropriate feature to access the API.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

SEC-435

Summary

Arbitrary file read in pkgacct custom template handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

It was possible to add arbitrary files, normally unreadable by unprivileged users, to a backup created by pkgacct by adding a custom Apache vhost template to unrelated files within the userdata directory.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
70.0.43
68.0.39
62.0.47

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/05/TSR-2018-0003.disclosure.signed.txt