SEC-661
Summary
Fix test used by cpsrvd to check for PHP.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 4.1 CVSS3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H
Description
The test to refuse to run a PHP page for resellers logged into WHM wasn’t checking for the case where extra path info is added after the php extension, causing it to be run by the CGI handler.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25
SEC-662
Summary
Fix HttpRequest to not write to user home directories as root.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 9.0 CVSS3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H
Description
The DNS caching mechanism used in Cpanel::HttpRequest would use $Cpanel::homedir has the directory in which to store its data. There are times, like when a reseller is invokes get_update_availability, when $Cpanel::homedir is set to the reseller’s home directory while the process is running as root. There is no reason to favor $Cpanel::homedir over using the home directory of the effective user. If we are running as root, we should write the DNS cache data under the /root directory.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25
SEC-665
Summary
Fix arbitrary file read in zone admin bin.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
The problem here is two-fold. First: the SWAP_IP_IN_ZONES function in the zone admin bin needs to validate the IP addresses passed into it. This will prevent attackers from using the function to pass bogus “includes” into the zone file. Second: When evaluating the “includes” while parsing the zone file, we should drop privileges to that of the domain owner. If a domain owner does not have privileges to read a file, they should not be able to include it in their zone file.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25
SEC-666
Summary
Fix maketext format string injection.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
In some circumstances maketext was vulnerable to string injections. Resolved those by not giving the stings any special processing.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25
SEC-667
Summary
Ensure SET_SERVICE_PROXY_BACKENDS passes the caller for the username.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
SET_SERVICE_PROXY_BACKENDS was passing a hash to set_backends_and_update_services which combined a key/value pair username/ with hash of the parameters passed into the function. If that hash had a different value set for the username key, then it would overwrite setting the calling user to be the username passed onto set_backends_and_update_services. This could allow a non-root user to set the username parameter to anything: another user, or, as illustrated in this case, a path traversal used for a security exploit. Set the value for the username key in the parameters hash to be the calling user account name. This will overwrite the value in the hash if it was already set and ensure the intended user name is passed on.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.108.0.3
11.106.0.10
11.102.0.25
https://news.cpanel.com/wp-content/uploads/2022/11/TSR-2022-0005-Full-Disclosure.signed.txt