cPanel TSR-2018-0004 Full Disclosure
SEC-367
Summary
Stored-XSS in WHM File Restoration interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
Filenames containing AngularJS markup were interpolated into angular-growl format strings. These format strings were then interpolated a second time before being used in growl notifications. This allowed cPanel users to insert XSS payloads into the WHM File Restoration interface.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-416
Summary
Apache configuration injection due to document root variable interpolation.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Description
Subdomain document root paths were allowed with Apache variable interpolation syntax. Under some conditions, malicious cPanel users could misuse this behavior to inject arbitrary Apache directives into the web server’s configuration.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-418
Summary
Insecure storage of phpMyAdmin session files.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Description
Due to a misconfiguration of phpMyAdmin’s php.ini file, the /tmp directory was used for session files storage. Local attackers could misuse this behavior to execute arbitrary code as the shared cpanelphpmyadmin user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-420
Summary
SQL injection during database backups.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Description
The cPanel backup process creates temporary data as part of backing up a database. The format of this data was vulnerable to manipulation by the backed up database names. This allowed an attacker to execute arbitrary SQL commands with the root account’s MySQL permissions.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-424
Summary
File modification as root via faulty HTTP authentication.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Description
When logging in via HTTP Basic Authentication, the REMOTE_USER environment variable is set from the username. By inserting null characters into the username, it was possible to truncate the environment variable when it is passed to subprocesses. This allowed local attackers to modify files as the root user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-425
Summary
Limited file read via password file caching.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Description
When logging in as a webmail user, cpsrvd reads the password and cache files located in the user’s home directory as root. It was possible to cause this to read arbitrary files on the system and write back a limited amount of data to theuser’s home directory.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-426
Summary
Arbitrary zonefile modifications allowed during record edits.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The types of DNS zone records that a cPanel user may add, delete, or edit are limited by the feature settings for the account. During zonefile edits, the new type of an edited record was not validated as a permitted record type for the user. This allowed cPanel users with the “changemx”, “simplezoneedit”, or “zoneedit” features to make arbitrary changes to zone files.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-436
Summary
Arbitrary file read during File Restoration.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.9 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Description
When using the “File Restoration” feature on an incremental backup, it incorrectly translated tar escape sequences in filenames. This allowed an attacker to read arbitrary files on the system as root.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-439
Summary
Arbitrary zonefile modifications due to faulty CAA record handling.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
cPanel accounts with the “zoneedit” feature are allowed to create and modify CAA DNS records. The validator for new CAA records allowed several types of injections that would split a single CAA record entry into multiple DNS records witharbitrary content.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-442
Summary
File rename vulnerability during account renames.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Description
While renaming cPanel accounts, the security policy data files stored in the user’s home directory were renamed with root permissions. This allowed malicious resellers with the Account Modification privilege to rename arbitrary files on the system.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
72.0.10
70.0.53
SEC-443
Summary
Website contents accessible to local attackers through git repos.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
The Git Version Control functionality in cPanel relied on the git binary to create the directories for git repos. The git binary created these directories with very open (0755) permissions, allowing other accounts on the system to examine the contents of the files in the repo. This functionality has been changed to create repo directories with 0700 permissions if the directory does not already exist.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
72.0.10
For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/07/TSR-2018-0004.disclosure.signed.txt