cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
SEC-646
Summary
Explicitly set the error log in scripts/cleanphpsessions.php.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H
Description
If /usr/local/cpanel/scripts/cleanphpsessions.php is run via system php (not “our” php), it will dump errors into an error log in the working directory. This could allow for a symlink attack. Explicitly set the error log to be the same error log that “our” php uses.
Credits
This issue was discovered by RACK911.
Solution
This issue is resolved in the following builds:
11.106.0.3
11.104.0.8
11.102.0.21
SEC-652
Summary
Fix Self-XSS vulnerability in ModSec Tools interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Description
Add escaping needed so error/warning messages properly display offending content as text rather than attempting to render it.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.106.0.3
11.104.0.8
11.102.0.21
SEC-653
Summary
Prevent arbitrary file reading via DNS zone parsing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
Parsing a DNS zone will result in the any include file contents being read and incorporated into the zone data. If this occurs as a result of an AdminBin call by a cPanel user, the parse operation will run as root allowing a non-privileged account read any file on the system. Before loading the include file contents, check for a non-root calling user, and if so, drop privileges before reading the file.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.106.0.3
11.104.0.8
11.102.0.21
SEC-654
Summary
Fix XSS in WHM ModSec Vendors interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Description
We need to escape the error message from a failed “Save” operation before displaying it.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.106.0.3
11.104.0.8
11.102.0.21
SEC-655
Summary
Verify domain ownership in subdomain admin module.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 5.0 CVSS3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Description
When an adminbin call is made to delete a subdomain, there is no initial check to validate the caller’s ownership of the domain. The call to delete the subdomain eventually errors out; but, only after disabling PHP-FPM for the domain. Have the subdomain admin module validate domain ownership before attempting any action on the domain. This is also needed for the call to change the document root for a domain and ownership of the root domain needs to be validated when creating a subdomain.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.106.0.3
11.104.0.8
11.102.0.21
SEC-658
Summary
Fix MySQL admin takeover via postponed dbuser creation.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 7.6 CVSS3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Description
When an account is created we check the proposed account name for collisions with database user names. However, we skip this check when the database service has been disabled. This can allow for database account takeovers when the database service has been re-enabled. If the database service is disabled, at least check the map file for name collisions.
Credits
This issue was discovered by John Lightsey.
Solution
This issue is resolved in the following builds:
11.106.0.3
11.104.0.8
11.102.0.21