Newsroom

TSR 2014-0001 Full Disclosure

Case 84385

Summary

Arbitrary code execution as cpanel-horde user via cache file poisioning.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The Horde Webmail interfaces accessible to cPanel and Webmail accounts uses PHP serialized cache files to speed up some backend operations. By default these cache files were stored in the world-writable /tmp directory with predictable names. A malicious local attacker could pre-create the cache files inside /tmp, potentially leading to arbitrary code execution as the cpanel-horde user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 86341

Summary

Arbitrary file read as root during cPanel account creation for ACL limited resellers.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

An ACL limited reseller could send crafted inputs to WHM’s account creation functionality to combine multiple path traversal attacks in the package extensions subsystem. This flaw would store the contents of the destination file into the new account’s cpuser file.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10

Case 86381

Summary

Disclosure of root’s accesshash to ACL limited resellers via WHM xml-api.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Reseller accounts, regardless of their ACLs, were able to retrieve and alter root’s accesshash credentials via the get_remote_access_hash XML-API command by supplying empty user and password arguments.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 86453

Summary

Injection of arbitrary settings into cpuser files via account creation.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The WHM /scripts5/wwwacctform interface allowed the injection of newlines into the ‘locale’ and ‘cpmod’ parameters. These injections could be used to set values in the newly created account’s cpuser file that were not permissible with a reseller’s ACL restrictions.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 86461

Summary

Overwriting of trusted inputs to third party hooks scripts.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

An ACL limited reseller could provide additional form inputs to WHM’s create and modify account interfaces containing null bytes in the parameter name. When these inputs were passed on to third party hook scripts though an exec() call, the additional parameters would be truncated to match parameter names that are normally anchored in trust for the third party hook scripts.
Third party hook scripts are provided the raw inputs to the functions they extend and are responsible for validating these inputs. Since null bytes do not transfer through the hook script interface correctly, any form parameter names submitted with null bytes will now result in an error.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 86857

Summary

Limited arbitrary file overwrite for ACL limited resellers via domain parking.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The owner parameter to the WHM /scripts/park interface was not correctly validated. By injecting a path traversal attack into this parameter, reseller accounts with the ‘park-dns’ ACL could overwrite arbitrary files on the system with a Perl storable file with predictable contents.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 87317

Summary

Arbitrary code execution as root for ACL limited resellers via cluster configuration interfaces.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Resellers with the ‘clustering’ ACL could inject data using newlines and NUL bytes into the form parameters of the cluster configuration interfaces. This flaw could then be leveraged to execute arbitrary code as root via string eval()s in various other interfaces.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 87433

Summary

Injection of arbitrary settings into cpuser files via mxcheck setting.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The WHM /script2/savemx and /cgi/zoneeditor.cgi interfaces allowed resellers with the “edit-mx” or “edit-dns” ACLs to modify the mxcheck setting for accounts under their control. By injecting newlines into this setting, a malicious reseller could alter other settings for the account that are stored in the account’s cpuser file.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 87437

Summary

ACL limited resellers allowed to disable digest authentication for arbitrary accounts.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

Due to a lack of ACL enforcement, an ACL limited reseller could disable digest authentication for any account on the system using WHM’s XML-API. The ACL protections for this functionality have been updated to require that ACL limited resellers own any accounts they modify in this fashion.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 87625

Summary

ACL limited resellers allowed to restore backups for the accounts they control.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The WHM XML-API allowed all resellers to restore backups for any accounts they own. The equivalent functionality in WHM’s HTML interfaces restricted the ability to restore accounts from backups to resellers with the “all” ACL.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 88061

Summary

Mis-assignment of IP addresses for ACL limited resellers via createacct.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

With certain combinations of IP delegations and free IP address space, reseller accounts with the ‘add-pkg-ip’ ACL could install new accounts onto IP addresses delegated to another reseller. This might allow a malicious reseller account to capture web traffic intended for other accounts on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Case 88341

Summary

Arbitrary code execution for ACL limited resellers during account creation.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

A flaw in the new account creation process resulted in the Ruby ‘gem’ command running with the effective UID of the newly created user and the real UID of root. A malicious reseller account could leverage this flaw to execute arbitrary Ruby code with root’s UID during the account creation process.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Multiple Cases (55)

Summary

Multiple XSS vulnerabilities in various interfaces.

Description

Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.

Case: 84633
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/htaccess/deluser.html, /frontend/x3/indexmanager/changepro.html, /frontend/x3/indexmanager/dohtaccess.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 84877
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts3/initial_setup_wizard4
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew

Case: 84881
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/mail/def.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew

Case: 84885
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /x3/mail/filters/editfilter.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Matthew

Case: 84893
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/conf.html, /frontend/x3/mail/saveconf.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew

Case: 84897
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/stats/detailsubbw.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew

Case: 84901
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/cpanelpro/filelist-thumbs.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew

Case: 85029
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/csvimport.html, /frontend/x3/mail/csvimport-step2.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Shubham Mittal

Case: 85133
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/filemanager/editit.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Shubham Mittal

Case: 85177
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cgi/Clock/docode.html, /frontend/x3/cgi/Countdown/docode.htm, /frontend/x3/cgi/Counter/docode.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Paweł Hałdrzyński

Case: 85229
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/psql/deldb.html, /frontend/x3/psql/deldb.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 85249
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/psql/addusertodb.html, /frontend/x3/psql/addusertodb.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 85273
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mime/addhotlink.html
Affected Releases: 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 85457
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/editmsgs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ankit Mittal

Case: 85461
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/showq.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ankit Mittal

Case: 85589
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts2/dotweaksettings
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ernesto Martin

Case: 85977
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/addpkg2
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Olivier Beg

Case: 85985
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts2/edit_sourceipcheck, /x3/security/security-questions.html, /paper_lantern/security/security-questions.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Olivier Beg

Case: 86329
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts/doeditmx
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 87081
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mime/add_redirect.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: SimranJeet Singh

Case: 87417
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/err/erredit.html, /frontend/x3/filemanager/editit.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: SimranJeet Singh

Case: 87457
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi/cpaddons_feature.pl
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88093
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/fullbackup.html, /frontend/x3/backup/wizard-fullbackup.html, /frontend/paper_lantern/backup/fullbackup.html, /frontend/paper_lantern/backup/wizard-fullbackup.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88097
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/doupload.html, /frontend/paper_lantern/backup/doupload.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88129
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/dosqlupload.html, /frontend/paper_lantern/backup/dosqlupload.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88133
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/doafupload.html, /frontend/paper_lantern/backup/doafupload.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88137
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/wizard-dofullbackup.html, /frontend/x3/backup/dofullbackup.html, /frontend/paper_lantern/backup/wizard-dofullbackup.html, /frontend/paper_lantern/backup/dofullbackup.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88141
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/denyip/add.html, /frontend/x3/denyip/add.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88145
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/denyip/del.html, /frontend/x3/denyip/del.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88149
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/denyip/index.html, /frontend/x3/denyip/index.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88153
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/filelist-convert.html, /frontend/paper_lantern/cpanelpro/filelist-scale.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html, /frontend/x3/cpanelpro/filelist-convert.html, /frontend/x3/cpanelpro/filelist-scale.html, /frontend/x3/cpanelpro/filelist-thumbs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88157
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/files/savefile.html, /frontend/paper_lantern/files/savefile.html, /frontend/x3/files/savefile.html, /frontend/x3/files/savefile.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88165
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/files/extractfile.html, /frontend/paper_lantern/files/extractfile.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88173
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/files/showfile.html, /frontend/x3/files/showfile.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88181
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/fp/addfp.html, /frontend/paper_lantern/fp/delfp.html, /frontend/x3/fp/addfp.html, /frontend/x3/fp/delfp.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88209
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/htaccess/leechprotect/dohtaccess.html, /frontend/paper_lantern/htaccess/leechprotect/doleech.html, /frontend/x3/htaccess/leechprotect/dohtaccess.html, /frontend/x3/htaccess/leechprotect/doleech.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88213
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/net/dnslook.html, /frontend/x3/net/dnslook.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88229
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/park/dodelparked.html, /frontend/x3/park/dodelparked.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88253
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/psql/deluserfromdb.html, /frontend/x3/psql/deluserfromdb.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88257
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/stats/analog.html, /frontend/x3/stats/analog.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88261
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/addon/saveredirect.html, /frontend/x3/addon/saveredirect.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88265
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/subdomain/doadddomain.html, /frontend/x3/subdomain/doadddomain.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88269
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/addoncgi/cpaddons.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88277
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/sql/PhpMyAdmin.html, /frontend/paper_lantern/backup/index.html, /frontend/x3/sql/PhpMyAdmin.html, /frontend/x3/backup/index.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88281
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/queuesearch.html, /frontend/x3/mail/queuesearch.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88285
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/changestatus.html, /frontend/x3/cpanelpro/changestatus.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88289
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/editmsg.html, /frontend/x3/mail/editmsg.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88293
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/editmsgs.html, /frontend/x3/cpanelpro/editmsgs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88297
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/msgaction.html, /frontend/x3/cpanelpro/msgaction.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88301
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/resetmsg.html, /frontend/x3/mail/resetmsg.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88305
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/paper_lantern/mail/conf.html, /frontend/x3/mail/conf.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88309
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/showlog.html, /frontend/x3/mail/showlog.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88313
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/showmsg.html, /frontend/x3/mail/showmsg.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88321
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/editlists.html, /frontend/x3/cpanelpro/editlists.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

Case: 88325
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/conf.html, /frontend/x3/mail/conf.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team

cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

Credits

These issues were discovered by the respective reporters listed above.

Solution

These issues are resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

For the PGP-signed message, see TSR-2014-0001-Full-Disclosure.