Newsroom

cPanel TSR-2020-0001 Full Disclosure

SEC-515

Summary

Self-XSS vulnerability via temporary character set specification.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

cPanel & WHM and its APIs allow you to specify a temporary character set to use for HTTP responses. Most interfaces and APIs do not expect to have the character set of their responses changed. This confusion could allow for an attacker to cause the rendering browser to parse and execute code.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45

SEC-535

Summary

Self-stored XSS vulnerability in HTML file editor.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The cPanel HTML file editor displays error messages when failing to open a file. These error messages were not adequately encoded. It was possible to manipulate these error messages to include HTML markup that would be rendered by the user’s browser.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45

SEC-537

Summary

Arbitrary code execution as root via dnsadmin when using PowerDNS.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

The name server configuration logic for PowerDNS allowed additional positional parameters to be injected when calling the pdns_control command. By injecting malicious data into these parameters, it was possible for a malicious reseller with the clustering ACL to execute arbitrary code on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45

SEC-541

Summary

Feature and demo restrictions not enforced for WebDisk UAPI calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Refactoring of the feature and demo access restriction code removed enforcement of these restrictions on all WebDisk UAPI calls.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45

SEC-542

Summary

Demo checks enforced incorrectly in Market UAPI namespace.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

The API calls available in the Market UAPI namespace did not limit the actions of demo accounts properly.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45

SEC-543

Summary

Demo account file modifications through Branding API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Restrictions on demo accounts for several Branding API1 and API2 calls were not properly enforced. In some configurations this allowed demo accounts to read and write arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45

SEC-544

Summary

Demo account remote code execution via cpsrvd rsync shell.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Description

The cPanel server includes rsync remote file transfer functionality. The access controls limiting demo account usage of this functionality was ineffective. This could be abused by a demo account user to execute arbitrary code on the server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20

SEC-545

Summary

Root remote code execution for resellers via cpsrvd rsync shell.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

The cPanel server includes rsync remote file transfer functionality. The access controls limiting reseller usage of this functionality was ineffective. This could be abused by any reseller to execute arbitrary code as the root account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20

SEC-546

Summary

Demo account code execution via PassengerApps APIs.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Description

When registering a Passenger application, the ‘ensure_deps’ API will install dependencies according to a configuration file within the application directory. Demo accounts were not restricted from invoking this API call, allowing the execution of arbitrary code on the server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45

SEC-547

Summary

Arbitrary file deletion for Webmail and Demo accounts.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Description

Functionality intended to handle JSON POST data submitted in HTTP requests did not apply input filtering required to distinguish file uploads from other form parameters. A malicious webmail or demo account could misuse this behavior to delete files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45

For the PGP-signed message, please see: https://news.cpanel.com/wp-content/uploads/2020/01/TSR-2020-0001.disclosure.signed.txt.