-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR 2014-0003 Full Disclosure Case 85329 Summary Sensitive information disclosed via multiple log files. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Several log files on cPanel & WHM systems were created with default world-readable permissions. These log files include both sensitive internal data such as stack traces and less sensitive information about the existence of other accounts and domains on the system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 86337 Summary Injection of arbitrary DNS zonefile contents via cPanel DNS zone editors. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The cPanel interface provides restricted interfaces for modifying aspects of the DNS zones that belong to a cPanel account. A malicious cPanel account could use crafted inputs to the simple and advanced DNS zone editor interfaces to rewrite parts of the zone files that they are normally restricted from editing. With some inputs, this could disclose the contents of sensitive files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 86465 Summary Insufficient ACL checks in WHM Modify Account interface. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Within WHM's "Modify Account" interface and associated xml-api commands, several settings for cPanel accounts could be altered with the "edit-account" reseller ACL rather than the more restrictive "all" ACL that is required in the dedicated interfaces for these settings. In particular, an account could be switched between the new and legacy backup systems, which should only be permissible by the root user. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 87205 Summary Open redirect vulnerability in FormMail-clone. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description cPanel & WHM servers include a clone of the classic FormMail.pl script. This clone includes the ability to redirect the browser after successful form submission to a URL included in the browser supplied parameters. These redirects are now restricted to HTTP and HTTPS locations that are on the server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 87873 Summary Multiple format string vulnerabilities in Cpanel::API::Fileman. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Error messages in Cpanel::API::Fileman were being generated using Locale::Maketext::maketext(). These errors were then added to a Cpanel::Result object using the error() method, which also performs maketext() interpolation on its inputs. With carefully crafted inputs, an authenticated attacker could utilize these format string flaws to execute arbitrary code using maketext() bracket notation. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 Case 88577 Summary Arbitrary file overwrite via trackupload parameter. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The trackupload functionality in cPanel & WHM's default POST parameter and QUERY_STRING processor module allows a log file to be written and queried while a file upload is occurring. In some contexts, an authenticated attacker could make cpsrvd create the trackupload log file inside the user's home directory while running with the effective UID of root. By combining this with a symlinked trackupload log file target, any file on the system could be overwritten. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 88793 Summary External XML entity injection in WHM locale upload interface. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The XML parser used by WHM for XLIFF and dumper-format XML locale file uploads allowed the processing of external XML entities. This would permit resellers with the 'locale-edit' ACL to reference arbitrary files on the system as external entities in an XLIFF translation upload and retrieve the target file by downloading the translation. All external XML entity processing in the translation system handling of XML files, is now disabled. Credits This issue was discovered by Prajith from NdimensionZ Solutions Pvt Ltd Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 88961 Summary Arbitrary code execution for ACL limited resellers via WHM Activate Remote Nameservers interface. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description Resellers with the 'clustering' ACL could send crafted parameters with newlines to the WHM /cgi/activate_remote_nameservers.cgi script and inject unsanitized values in the DNS clustering credential storage system. These unsanitized parameters could include code injections that would run with root's effective UID or parameters intended to disclose root's accesshash credentials to systems under the reseller's control. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 89377 Summary Arbitrary code execution for ACL limited resellers via WHM objcache. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description A flaw in the hostname input sanitization of WHM's objcache functionality could be used by malicious resellers with limited ACLs to download Template Toolkit code of their choosing into the WHM objcache storage system. The malicious Template Toolkit code would subsequently execute with EUID 0 during the processing of WHM News. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 89733 Summary Injection of arbitrary data into cpuser configuration files via wwwacct. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM /scripts5/wwwacct interface allowed arbitrary values to be set for the 'owner' parameter during new account creation by resellers with the 'create-acct' ACL. By supplying values with newlines, resellers could control all fields in the newly created account's cpuser configuration file. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 89789 Summary Arbitrary code execution for ACL limited resellers via batch API. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM XML-API allows for multiple commands to be combined into one call via the 'batch' command. Some aspects of the execution environment for one command in a batch persisted in the execution of subsequent commands. By leveraging failures of a proceeding command, a malicious authenticated reseller could execute arbitrary code as the root user in subsequent commands in the batch. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 90001 Summary Sensitive information disclosed via update-analysis tarballs. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The cPanel & WHM update-analysis system aggregates log files and system settings into a tarball that is sent to cPanel's log processing servers. This opt-in service allows cPanel to detect trends in the errors that cPanel & WHM systems encounter. The tarballs generated by the update-analysis system are retained on the local file system, with 0644 permissions, inside a world-accessible directory and include copies of several sensitive log files. This allowed local users to view the sensitive data contained inside. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 90265 Summary Open mail relay via injection of FormMail-clone parameters. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description cPanel & WHM servers include a clone of the classic FormMail.pl script. Incorrect filtering of the 'subject' parameter supplied to this script allowed arbitrary mail headers to be injected into the email message. This flaw bypassed any recipient restrictions and allowed FormMail-clone to be used as an open mail relay. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 91741 Summary Arbitrary code execution via backup excludes. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description Entries in a user's cpbackup-exclude.conf file are evaluated in an unsafe manner during the nightly account backup process. By carefully crafting these entries, a malicious local account could execute arbitrary code as the root user during nightly backups under some circumstances. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 92449 Summary User .my.cnf files set to world readable during upcp. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The script '/scripts/fixmysqlpasswordopt' is run one time by upcp during an upgrade from cPanel & WHM version 11.38 to version 11.40. This script was intended to convert user's .my.cnf files to use formatting required with MySQL5.5. During the conversion, the permissions on some user's .my.cnf files could be changed to world-readable. In combination with other common attacks, this could disclose the user's MySQL password to other accounts on the system. Credits This issue was discovered by Curtis Wood. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 Case 92489 Summary SSH private key disclosure during key import process. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description When the 'extract_public' option is specified to the 'importsshkey' WHM XML-API call, the provided private key was written to a world-readable temporary file. This allowed any user on the system to read the uploaded key. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Case 94201 Summary Insufficient validation allows password reset of arbitrary users. Security Rating cPanel has assigned a Security Level of Critical to this vulnerability. Description cPanel & WHM systems contain optional functionality that allows cPanel accounts to reset their passwords from the cPanel login screen. When a user requests a password reset in this fashion, an email is sent to the user's configured email address. The user must then navigate to a URL provided in the email to perform the password reset. A flaw in the validation of the 'user' parameter to the password reset interface allowed unauthenticated remote attackers to reset an account's password and cause the reset email to be delivered to an email address of the attacker's choosing. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 Multiple Cases (30) Summary Multiple XSS vulnerabilities in various interfaces. Description Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below. Case: 88465 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts9/upload_locale Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Ernesto Martin Case: 88469 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /scripts/backupconfig Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Ernesto Martin Case: 88473 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /fetchsystembranding, /fetchglobalbranding, /fetchyoursbranding Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Ernesto Martin Case: 90213 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/passwdmysql Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 90225 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /cgi/CloudLinux.cgi Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 90249 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /cgi/live_restart_xferlog_tail.cgi Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 90257 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/dorootmail Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 90261 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /cgi/sshcheck.cgi Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 90289 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /cgi/zoneeditor.cgi Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 90753 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/delegatelist.html, /frontend/paper_lantern/mail/delegatelist.html Affected Releases: 11.42.0, 11.40.1 Reporter: Mateusz Goik Case: 90765 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/mime/hotlink.html, /frontend/paper_lantern/mime/hotlink.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Mateusz Goik Case: 90769 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/webdav/accounts_webdav.html, /frontend/paper_lantern/webdav/accounts_webdav.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Mateusz Goik Case: 90781 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/mime/redirect.html, /frontend/paper_lantern/mime/redirect.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Mateusz Goik Case: 90817 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/filemanager/listfmfiles.json, /frontend/paper_lantern/filemanager/listfmfiles.json Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Mateusz Goik Case: 90969 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /cgi/cpaddons_report.pl Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Rack911 Case: 91457 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/test.php, /frontend/paper_lantern/test.php Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 91461 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/cgi/doupload.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 91633 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /fetchemailarchive Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 91677 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/cpanelpro/filelist-scale.html, /frontend/paper_lantern/cpanelpro/filelist-scale.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 91681 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/cpanelpro/filelist-thumbs.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 91717 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/cpanelpro/changestatus.html, /frontend/paper_lantern/cpanelpro/editmsgs.html, /frontend/paper_lantern/cpanelpro/msgaction.html, /frontend/paper_lantern/cpanelpro/saveconf.html, /frontend/paper_lantern/mail/changestatus.html, /frontend/paper_lantern/mail/conf.html, /frontend/paper_lantern/mail/editlists.html, /frontend/paper_lantern/mail/editmsg.html, /frontend/paper_lantern/mail/manage.html, /frontend/paper_lantern/mail/queuesearch.htm, /frontend/paper_lantern/mail/resetmsg.html(acount), /frontend/paper_lantern/mail/saveconf.html, /frontend/paper_lantern/mail/showlog.html, /frontend/paper_lantern/mail/showmsg.htm URLs: /frontend/paper_lantern/mail/showq.html, /frontend/x3/cpanelpro/changestatus.html, /frontend/x3/cpanelpro/editlists.html, /frontend/x3/cpanelpro/editmsgs.html, /frontend/x3/cpanelpro/msgaction.html, /frontend/x3/cpanelpro/saveconf.html, /frontend/x3/mail/changestatus.html, /frontend/x3/mail/conf.html, /frontend/x3/mail/editlists.html, /frontend/x3/mail/editmsg.html, /frontend/x3/mail/manage.html, /frontend/x3/mail/queuesearch.html, /frontend/x3/mail/resetmsg.html, /frontend/x3/mail/saveconf.html, /frontend/x3/mail/showlog.html, /frontend/x3/mail/showmsg.html, /frontend/x3/mail/showq.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 91973 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/cpanelpro/doscale.html, /frontend/paper_lantern/cpanelpro/doscale.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 91977 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/cpanelpro/doconvert.html, /frontend/paper_lantern/cpanelpro/doconvert.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 91981 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/cpanelpro/dothumbdir.html, /frontend/paper_lantern/cpanelpro/dothumbdir.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 92133 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/telnet/keys/dodelpkey.html, /frontend/paper_lantern/telnet/keys/dodelpkey.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 92157 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts/installfp, /scripts/uninstallfp Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 92421 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/ajax_mail_settings.html, /frontend/paper_lantern/mail/ajax_mail_settings.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 92593 Security Rating: Moderate XSS Type: Reflected Interface: cPanel URLs: /cgi-sys/entropysearch.cgi Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 92829 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /cgi-sys/defaultwebpage.cgi Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Shahee Mirza Case: 93089 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mime/delredirectconfirm.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload. Credits These issues were discovered by the respective reporters listed above. Solution These issues are resolved in the following builds: 11.42.0.23 11.40.1.13 11.38.2.23 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTOdTyAAoJEJUhvtyr2U3fengP/RbheIJJrE7GPPqsmCT/Ny/J eJRoLu6vUA47cKcopOhO3ha64rTwIydmR83JR6zaz8rxEq3kVhNwF/yvpUwVkgnG Cc23wBbkUqXXkza7OhjSStIYrkPA6lfJdyaW4dVadvD7Ch+XihgO2cq8MPnGdVGC b9jEP84EyvaM2I2SL8lKbfBPxHjbnOwJJMZXcgCEYlQuk25wLGP2EMtt0CzzwLM2 pfN2c5vID3lsmdp3iIf/rPKvTE1VW4bKuKY5vJ2vioJlf1Ngc3oAl1omM6ip2BZj +620QSUctJ7ccFtr4v5qvPxVrhaQrLonaVq52bb8Kff8jNO8b3qNbj3znc052LHo vXiAfh+EDuDSEj9+3O1vHEw8cnZOgy8r4bbiVRpG2wBVt4yKevz4HbiQ+0IJQMXe vpYoeVraKXAyN5ZHgKXd9w7zTXO2OQS6OyiuO4IJ7FEzQA9PFbTafLYhVJAxPlsA AimoFTlF0JtDp0696qkLx07qErOs6bAev1Lhlij+0GarcYUyr1nf8dOBAMw78AcF NApUel+FA2/pL+7RXnIoVsPdsHqzO7mmNsgT3AnHE1bROwBwfKl7IcNgtEtV5qNv FE68BaSt6fyGZ+sM+YVWVo24gIknRqN7A4eL9kdkt6lKyZgHGy5xgO2RIY9zijSt oKIZDVgJpwgX065crzR3 =Hmkf -----END PGP SIGNATURE-----