-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TSR 2013-0012 Full Disclosure Case 84681 Summary Arbitrary file read for ACL limited reseller accounts via XML-API. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM XML and JSON APIs allowed arbitrary files to be read through the "getpkginfo" API call. By sending a crafted input to this call, resellers with the "viewglobalpackages" ACL could read the contents of files accessible only to root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.40.1.7 & Greater 11.40.0.31 & Greater 11.38.2.15 & Greater 11.36.2.12 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSuL8sAAoJEJUhvtyr2U3fUN4P/29FNyGspE9owGQrBR2twSly hhyig+vFDPGdp0xyPvqMqfUCzRq8CTVBLn2QE9R69HnDSYWbGXbE1Qr5xet+8mUQ yUMc1g+qa7Cbyv3z0VI5z84L2DLFANgrDaRmpnj4AHIR5KQLWvLV10DYGfrS/MR2 2+getAUlIWGLtJ+Q8wZG0l1UAV8k6JLzxXn4PLjAwmYY9cP15NwUqYhDJJglUo/W 9JKF2QUaW54VI9gQ6bJTsFeZuDhEhmXm7vYc8mi9PDMbi2eAh39aliJZB+PFX7vQ K3zNxxIY8u1ofWjoLwN6XIuIt+U/XVb+ZOa3sDBFc53lDpWg0nSjTyoaBSBcrSpQ PzS+EbaQ6Pn7UJKYgBiO5gqQADM77xvtd9kZO3KScTTasYw3mwknaN97tWTic6Zr hbLAp1U1yYuDw+b6l/AVunkEHbFt8osJ8uBX7lj+uAmiT6eiRlp3I+N9qqpMqgT4 jVsJ0i/qJjEHCPmDkzSRmRzliJZM+AfSfA/2OLrvylJ+GlLSqqcbQwOFF7Kl/ree 9DgFF4xBC8pAtyj7GsztD7kx0qk7dHQbhTOhD+U+klNZGLm5D/KLWY0WuqDdlqoo zuhqfDWzCNUr8gaPJAfz2h6r7hEnWU/l4v5m+VXwAD9LA23af1g7wqP0uHG5wPg4 PhyKvgEsrZEmPGJJ1ZZE =0oig -----END PGP SIGNATURE-----