Yesterday cPanel released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update.
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
SEC-501
Summary
Demo account remote code execution via faulty URI dispatching.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Description
Errors in the dispatching logic for email autoconfiguration URIs allowed demo accounts to execute functions in the cpanel templating engine that are normally prohibited.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.80.0.22
11.78.0.34
SEC-504
Summary
Stored-XSS vulnerability in WHM Tomcat Manager interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
The status messages displayed when disabling Tomcat for a cPanel account were not adequately escaped. It was possible for the user to manipulate the content of these status messages. This allowed cPanel accounts to inject arbitrary HTML on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34
SEC-506
Summary
Self XSS vulnerability in cPanel and webmail master templates.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
All cPanel and webmail interfaces include a username header at the top of the rendered pages. It was possible to manipulate what is displayed in this header by visiting certain non existent webmail accounts. This allowed arbitrary HTML to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34
SEC-507
Summary
Unauthenticated file creation vulnerability via Exim log parsing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Description
The cPanel Tailwatch daemon determines when to notify an account about excessive email sending by parsing the Exim log. It keeps track of which accounts have been notified using flag files. It was possible to inject data into the Exim log that would cause these flag files to be created in arbitrary locations.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34
SEC-510
Summary
Root MySQL password revealed to local accounts.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
A new MySQL password is generated and configured for the root account when no MySQL client configuration file is present during the installation of cPanel & WHM. The code to generate the new password was faulty, leaving some systems with root MySQL passwords that could be discovered by local attackers.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
SEC-512
Summary
Stored-XSS vulnerability in WHM Modify Account interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
The status messages displayed when modifying a cPanel account in WHM were not adequately escaped. It was possible for the cPanel account to manipulate the content of these status messages. This allowed an attacker to inject arbitrary HTML on the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34
SEC-514
Summary
Reseller package creation ACLs enforced incorrectly.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The “allow-parkedcreate” and “allow-addoncreate” reseller ACLs were not enforced correctly. This allowed a restricted reseller to create packages with parked and addon domain limits exceeding the reseller’s configured limits.
Credits
This issue was discovered by Edwin F Sturt.
Solution
This issue is resolved in the following builds:
11.82.0.2
11.80.0.22
11.78.0.34
For the PGP-signed message, please see: TSR-2019-0004 Full Disclosure