Newsroom

TSR-2017-0001 Full Disclosure

January 17, 2017

cPanel TSR-2017-0001 Full Disclosure

SEC-196

Summary

Fixed password used for Munin MySQL test account.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-197

Summary

Self-XSS in paper_lantern password change screen.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Certain form variables on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-198

Summary

Reflected XSS in reset password interfaces.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

The user form variable on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43

SEC-199

Summary

Self-XSS in webmail Password and Security page.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Certain form variables on the webmail password and security page could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-201

Summary

Arbitrary file read via Exim valiases.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)

Description

When processing the valiases for a user, Exim was running as the root user. By creating a valias that included other files, an attacker was able to read arbitrary files as the root user.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43

SEC-204

Summary

Exim piped filters ran as wrong user when delivering to a system user.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Description

Piped commands executed by the central_user_filter were run as the nobody user. Now the filters are run as the system user’s UID.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-205

Summary

Leech Protect did not protect certain directories.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Description

The Leech Protect system allows admins to detect unusual amounts of activity on password protected directories. This system was not functioning on directories with a two character name.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-206

Summary

Exim transports could be run as the nobody user.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

It was possible to run exim transports as the nobody user if the receiving email domain was removed during delivery. Transports will now run as the proper user even if the domain no longer exists.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-207

Summary

Improper ACL checks in xml-api for Rearrange Account.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

Using the ‘fetch_transfer_session_log’ API, it was possible to fetch transfer information created by other resellers. This could reveal potentially sensitive information to an attacker.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-209

Summary

SSL certificate generation in WHM used an unreserved email address.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

In WHM, if you generate a certificate using the “Generate an SSL Certificate and Signing Request” interface and select “When complete, email me the certificate, key, and CSR”, it used “admin@” as the from address. The account name “admin” is not reserved in cPanel & WHM, so if this account was created, it would intercept any replies or bounces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-210

Summary

Account ownership not enforced by has_mycnf_for_cpuser WHM API call.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The has_mycnf_for_cpuser WHM API call did not verify the caller’s ownership of the specified account. This could allow for a limited amount of information about the user’s MySQL configuration to be leaked.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-211

Summary

Stored XSS Vulnerability in WHM Account Suspension List interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

When viewing the WHM Account Suspension List with the ‘nohtml’ flag enabled, the response to the browser was sent with the ‘Content-type’ header set to ‘test/html’. This caused text to be misinterpreted as html markup.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-212

Summary

Format string injection vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Description

The ability to supply arbitrary format strings to cgiemail and cgiecho allowed code execution whenever a user was able to provide a cgiemail template file. Format strings in cgiemail templates are now restricted to simple %s, %U and %H sequences.
Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-213

Summary

WHM ‘enqueue_transfer_item’ API allowed resellers to queue non rearrange modules.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)

Description

The ‘enqueue_transfer_item’ API allowed resellers with the ‘rearrange-accts’ ACL to add items from arbitrary Whostmgr::Transfers::Session modules. This could have potentially allowed for a reseller with the ‘rearrange-accts’ ACL to initiate a remote transfer or perform other restricted operations.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43

SEC-214

Summary

Open redirect vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description

The cgiemail and cgiecho binaries served as an open redirect due to their handling of the “success” and “failure” parameters. These redirects are now limited to the domain that handled the request.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-215

Summary

HTTP header injection vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

Case SEC-215: The handling of redirects in cgiemail and cgiecho did not protect against the injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-216

Summary

Reflected XSS vulnerability in cgiemail addendum handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

The “addendum” parameter was reflected without any escaping in success and error messages produced by cgiemail and cgiecho. This output is now html escaped.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/01/TSR-2017-0001.disclosure.signed.txt