-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TSR 2013-0012 Full Disclosure

Case 84681

Summary

Arbitrary file read for ACL limited reseller accounts via XML-API.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The WHM XML and JSON APIs allowed arbitrary files to be read through the "getpkginfo" API call. By sending a crafted input to this call, resellers with the "viewglobalpackages" ACL could read the contents of files accessible only to root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

    11.40.1.7 & Greater
    11.40.0.31 & Greater
    11.38.2.15 & Greater
    11.36.2.12 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSuL8sAAoJEJUhvtyr2U3fUN4P/29FNyGspE9owGQrBR2twSly
hhyig+vFDPGdp0xyPvqMqfUCzRq8CTVBLn2QE9R69HnDSYWbGXbE1Qr5xet+8mUQ
yUMc1g+qa7Cbyv3z0VI5z84L2DLFANgrDaRmpnj4AHIR5KQLWvLV10DYGfrS/MR2
2+getAUlIWGLtJ+Q8wZG0l1UAV8k6JLzxXn4PLjAwmYY9cP15NwUqYhDJJglUo/W
9JKF2QUaW54VI9gQ6bJTsFeZuDhEhmXm7vYc8mi9PDMbi2eAh39aliJZB+PFX7vQ
K3zNxxIY8u1ofWjoLwN6XIuIt+U/XVb+ZOa3sDBFc53lDpWg0nSjTyoaBSBcrSpQ
PzS+EbaQ6Pn7UJKYgBiO5gqQADM77xvtd9kZO3KScTTasYw3mwknaN97tWTic6Zr
hbLAp1U1yYuDw+b6l/AVunkEHbFt8osJ8uBX7lj+uAmiT6eiRlp3I+N9qqpMqgT4
jVsJ0i/qJjEHCPmDkzSRmRzliJZM+AfSfA/2OLrvylJ+GlLSqqcbQwOFF7Kl/ree
9DgFF4xBC8pAtyj7GsztD7kx0qk7dHQbhTOhD+U+klNZGLm5D/KLWY0WuqDdlqoo
zuhqfDWzCNUr8gaPJAfz2h6r7hEnWU/l4v5m+VXwAD9LA23af1g7wqP0uHG5wPg4
PhyKvgEsrZEmPGJJ1ZZE
=0oig
-----END PGP SIGNATURE-----