-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

cPanel TSR 2014-0002 Full Disclosure

Case 89985

Summary

Disclosure of cpanel-horde's MySQL password due to world-readable backups.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

During the upgrade to Horde 5 on 11.42 systems, a backup tarball of the existing Horde configuration files is created. This backup tarball was created in a world-accessible directory with world-readable permissions, allowing local accounts to see the MySQL password for the shared cpanel-horde user.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJS/SjfAAoJEJUhvtyr2U3fMhwQAMeFvvjSYQTTTHM1C8BUqXlk
NS3xHLXgRmcDK6yKuxr1QMS4CWdKd2vHU5mpqW6OJ3caApGJ5K+CAz9ZqKf2hz4w
ebVAETjaD2vYdvLg4CfL+B5qciKNbgnTOvCjMqoeFVjKaw70aJfYou142MSIt3Zq
/hwA5jny9Fs7R07CYlbLL59sEGufyZS5uGOsO6a9N0KwdToorVj9GBpMCMHvdpK+
y+Bg+oILuoWo9+UA+JE5jx/G4PhrmR9mMHhCFN2eM6cXfxdQq6DjgjWhn5M/wLer
kbgXwNJgmItAIfSzAoCf/S/RLUC4qjlRjDQQxURmHCCe/lDIYhJfnDUSwWe9sxCR
E22wvcozCFnZm51hAradUJHxeWX2i/yu3cFzLHEWBfC9sekybaiGi/8/T6dY48cs
71AUAC7+THVyBFK5/+TMKCiLRKPocpHTozs2gzxjnK9IyoEio/s2iMRKw3+0EqWy
UUbvuCdqkjaEuL8HT2EmZG98VVV7yW9kY/1PESwVVpG+5O7xUT1+YehvPhIhYPvb
nxAINDImiM33wvr9rD2uMqREor2YOuj/u6feWiZUx44icx0b4EeOOu7A3TzaFYDi
oLoKelw4VrS8P7VT3p707qAGNoSB+gaeI7lUUnvj+tyMxn83vOObyVScktDtbId1
qmT8c74U/DDujnjMYj0s
=wI9I
-----END PGP SIGNATURE-----