TSR 2013-0012 Full Disclosure

Case 84681


Arbitrary file read for ACL limited reseller accounts via XML-API.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.


The WHM XML and JSON APIs allowed arbitrary files to be read through the “getpkginfo” API call. By sending a crafted input to this call, resellers with the “viewglobalpackages” ACL could read the contents of files accessible only to root.


This issue was discovered by the cPanel Security Team.


This issue is resolved in the following builds: & Greater & Greater & Greater & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at

For the PGP-signed message, see TSR-2013-0012-FullDisclosure.