Arbitrary file read for ACL limited reseller accounts via XML-API.
cPanel has assigned a Security Level of Important to this vulnerability.
The WHM XML and JSON APIs allowed arbitrary files to be read through the “getpkginfo” API call. By sending a crafted input to this call, resellers with the “viewglobalpackages” ACL could read the contents of files accessible only to root.
This issue was discovered by the cPanel Security Team.
This issue is resolved in the following builds:
184.108.40.206 & Greater
220.127.116.11 & Greater
18.104.22.168 & Greater
22.214.171.124 & Greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/
For the PGP-signed message, see TSR-2013-0012-FullDisclosure.