-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2014-0004 Full Disclosure Case 78301 Summary Correct patch for CVE-2002-1575 in cgiemail. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description cPanel & WHM includes a copy of Bruce Lewis' cgiemail version 1.6. This version of cgiemail was vulnerable to CVE-2002-1575, allowing remote unauthenticated attackers to send email using the cgiemail script to destination addresses of the attackers' choosing. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 92733 Summary Session file name disclosure via SafeFile command line rewriting. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The SafeFile functionality of cPanel provides for safe file locking and opening. When attempting to obtain a lock on a file, the executable name ($0) was set to include the target file name for debugging purposes. This exposed potentially sensitive session information. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 92745 Summary Private SSH key passwords disclosed during key generation and import. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The cPanel & WHM API1 and API2 calls that imported, generated, and converted SSH keys using the ssh-keygen binary supplied the password for the private key using command line arguments. This revealed the private password to other accounts on the system while ssh-keygen was executing. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 93017 Summary Arbitrary Code Execution via WHM Thirdparty Service Calls. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The WHM /scripts2/showservice and /scripts2/saveservice URLs took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, a malicious authenticated reseller could execute arbitrary code as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 93021 Summary Arbitrary code execution via Cpanel::Thirdparty::serviceinfo API call. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The Cpanel::Thirdparty::serviceinfo API1 call took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, an authenticated cPanel user could execute arbitrary code, potentially bypassing other restrictions placed on the account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 93269 Summary Transfer CGI scripts allow downloads of a cPanel account. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM 'Copy an Account From Another Server With an Account Password' functionality will first attempt to use XML-API calls to generate and download a backup of the remote account. Should this call fail, a fallback method using FTP and HTTP will be attempted. Under some circumstances, the CGI scripts utilized by this fallback method would remain installed on the account after the transfer was complete, potentially allowing remote attackers to download a copy of the transferred account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.1.16 11.40.1.14 Case 94077 Summary Denial of service via Boxtrapper cgi-sys script. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The Boxtrapper bxd.cgi script used to confirm an email for delivery did not properly validate the account parameter passed to it by the user. By injecting null values into this parameter, an unauthenticated attacker could trigger an infinite loop in the script, potentially exhausting server resources. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 95617 Summary Arbitrary database access via cpmysqladmin ADDDBPRIVS command. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The cpmysqladmin 'ADDDBPRIVS' command allowed cPanel users to add read and write privileges to a database. Ownership of the specified database was not properly validated during this process, allowing the user to read and write any database on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.1.16 11.40.1.14 Case 96301 Summary Arbitrary permissions change via fixsuexeccgiscripts script. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The fixsuexeccgiscripts script run during the nightly UPCP process on cPanel & WHM systems scanned Apache's suexec_log for indications of misconfigured CGI scripts. Scripts that generated errors were automatically set to 0755 permissions. The functionality that changed permissions on defective scripts performed insufficient validation of the targets, allowing a local attacker to set any file on the system to 0755 permissions. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 96381 Summary Arbitrary file ownership change via chownpublichtmls script. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The chownpublichtmls script is intended to correct the ownership on users' public_html directories. This script used an obsolete version of the safe_recchmod() function that was vulnerable to a race condition attack. This could allow a local attacker change the ownership of arbitrary files. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 96541 Summary Arbitrary code execution as root via WHM "Check and Repair a Perl Script". Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The Check and Repair Perl Script functionality of WHM was vulnerable to a Time-of-check/Time-of-use attack. The UID this functionality would execute under was determined by a simple stat of the target file, followed by the execution of the script using "perl -c". A local attacker could leverage this flaw to execute arbitrary code as root when this interface was used on a script under the attacker's control. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 96697 Summary Arbitrary permissions change via multiple scripts. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Obsolete versions of several functions provided by the Cpanel::SafetyBits module were duplicated inside the safetybits.pl script and used in several command line scripts provided with cPanel & WHM. The obsolete versions of these functions allowed a local attacker to change the permissions on arbitrary files under some circumstances. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 97289 Summary Bypass of local zone ownership restrictions via DNS clustering commands. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The DNS clustering commands allow for DNS zones to be synced across a cluster. When a zone is owned by a local user, these commands restrict modification of the zone to the reseller account that owns the zone and reseller accounts with the "All" ACL. This functionality was subject to several flaws that allowed an authenticated attacker with the "Clustering" ACL to modify zones belonging to other resellers on the system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 97293 Summary Miscategorization of DNS Clustering ACL. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The "Clustering" ACL in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the "Standard Privileges" grouping. This ACL should be listed under the "Super Privileges" grouping since the ACL is intended for sensitive DNS clustering configuration and synchronization operations that bypass many restrictions on DNS zone modifications. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 97737 Summary Arbitrary YAML file read via Configure Customer Contact. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM Configure Customer Contact interface allows a reseller to set contact information visible by their users. The YAML file containing this information is inside the reseller's home directory and was read with the effective UID of root. By manipulating this file, an authenticated reseller could read the contents of arbitrary YAML files on the system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 97841 Summary Mailman list password disclosed to local users during password change. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Mailman's change_pw script takes the password as a command line argument. When changing a mailing list's password, the new password was leaked to other users logged into the system via command line arguments. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Case 98121 Summary Miscategorization of Locales ACL. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The "local-edit" ACL listed in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the "Global Privileges" grouping. This ACL should be listed under the "Super Privileges" grouping since the ACL allows the reseller to control the display of translations, including embedded HTML, in all cPanel & WHM interfaces. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 Multiple Cases (35) Summary Multiple XSS vulnerabilities in various interfaces. Description Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below. Case: 90761 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/ftp/accounts.html, /frontend/paper_lantern/ftp/accounts.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Mateusz Goik Case: 93117 Security Rating: Moderate XSS Type: Reflected Interface: cPanel URLs: /cgi-sys/guestbook.cgi Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 93141 Security Rating: Moderate XSS Type: Reflected Interface: Entropy Chat URLs: / Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 93641 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/paper_lantern/mail/auto_responder.tt, /frontend/x3/mail/auto_responder.tt Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 93965 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/x3/filemanager/index.html, /frontend/paper_lantern/filemanager/index.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 93985 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/addoncgi/cpaddons.html, /frontend/paper_lantern/addoncgi/cpaddons.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94081 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts4/listaccts Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 94741 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/spam/addspamfilter.html, /frontend/paper_lantern/mail/spam/addspamfilter.html Affected Releases: 11.43.0, 11.42.1 Reporter: cPanel Security Team Case: 94745 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mail/filters/delfilter.html, /frontend/x3/mail/filters/delfilter.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94773 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/addon/index.html, /frontend/x3/denyip/index.html, /frontend/x3/ftp/accounts.html, /frontend/x3/mail/archive.html, /frontend/x3/mail/autores.html, /frontend/x3/mail/boxtrapper.html, /frontend/x3/mail/filters/managefilters.html, /frontend/x3/mail/fwds.html, /frontend/x3/mail/lists.html, /frontend/x3/park/index.html, /frontend/x3/psql/index.html, /frontend/x3/sql/index.html, /frontend/x3/subdomain/index.html, /frontend/paper_lantern/addon/index.html, /frontend/paper_lantern/denyip/index.html URLs: /frontend/paper_lantern/ftp/accounts.html, /frontend/paper_lantern/mail/archive.html, /frontend/paper_lantern/mail/autores.html, /frontend/paper_lantern/mail/boxtrapper.html, /frontend/paper_lantern/mail/filters/managefilters.html, /frontend/paper_lantern/mail/fwds.html, /frontend/paper_lantern/mail/lists.html, /frontend/paper_lantern/park/index.html, /frontend/paper_lantern/psql/index.html, /frontend/paper_lantern/sql/index.html, /frontend/paper_lantern/subdomain/index.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94793 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/conf.html, /frontend/paper_lantern/mail/conf.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94825 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/dodelpop.html, /frontend/paper_lantern/mail/dodelpop.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 94929 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mime/addredirect.html Affected Releases: 11.43.0, 11.42.1 Reporter: cPanel Security Team Case: 94937 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/sql/wizard4.html, /frontend/x3/sql/wizard4.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 95577 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/denyip/delconfirm.html, /frontend/paper_lantern/denyip/delconfirm.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 95805 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/ftp/dologoutftpconfirm.html, /frontend/x3/ftp/dologoutftpconfirm.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96017 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mime/delredirect.html, /frontend/x3/mime/delredirect.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96021 Security Rating: Moderate XSS Type: Stored Interface: cPanel URLs: /frontend/x3/clamavconnector/scanner.html, /frontend/x3/clamavconnector/live_disinfect.html, /frontend/x3/clamavconnector/disinfect.html, /frontend/paper_lantern/clamavconnector/scanner.html, /frontend/paper_lantern/clamavconnector/live_disinfect.html, /frontend/paper_lantern/clamavconnector/disinfect.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96201 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/doresetresellers Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96209 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/domultikill Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96245 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /cgi/statmanager.cgi Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 96385 Security Rating: Important XSS Type: Stored Interface: cPanel URLs: /frontend/x3/ftp/session.html, /frontend/paper_lantern/ftp/session.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 96485 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts5/showacctcopylog Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 96505 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts/rescart Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96509 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts/repairmysql Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96521 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/doresmailman Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96525 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts2/convertmaildir Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96545 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts2/doeditzonetemplate Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 96637 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /cgi/trustclustermaster.cgi Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: Rack911 Case: 96801 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts/doconfiguremailserver Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99213 Security Rating: Minor XSS Type: Stored Interface: WHM URLs: /scripts5/setupremotemysqlhost Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99309 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts2/editzonetemplate Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99365 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /scripts5/copy_account_input Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99377 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /scripts5/remotemysqlhost Affected Releases: 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99957 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/cgi/modify.html Affected Releases: 11.43.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload. Credits These issues were discovered by the respective reporters listed above. Solution These issues are resolved in the following builds: 11.43.0.12 11.42.1.16 11.40.1.14 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTg3ygAAoJEJUhvtyr2U3fW90QAND80zau2wPKqmUtJN+HYLqH oz87LM77doR5qMVizU9Viak849exAEHqgZkKSGvRWuYPFXSAjwwiFxWjRzHOQnv/ X+rO+wyF7B8NtDY75FgV95vKsUZEGnXELLUP/mh8JR+tLtGMzHgkomzon3eTPb5X F4Yav0uN7Gwl4gaKqE8yUU+RwgtuQugCmPCJQjt1ZazbQofY6eAMz+UkqzNywHo4 XtXNRbXxd0ifU0YJDAeZ05NU4SDdAwnAcnCADEcEdcOSQmDKiWKIojGVOCW5Fm4f ij9aVnHPyxrGE8owD+KTbzapr2G6s1+sHX1/LCcvVqzVebaRPixOtNOxunwRDYym 8HFnFupvOqXtuWRipvusm2oszfS0wHi838eV5dFeLl9n9wA1qDKi5gZWNr/flMPH bJjMzChR9wa0X2ybgW8/69mkMWA7JTOQmp4QJEmk42HyYl2A/I/+o6iGbqfoCsmE 4rs1xN4Jh/uTdcxx1v3Gv2AnGG9sMjO5C8vcmSzvopte9l1flmMhAvJe1IT6TCkJ GIWl2RnQpqXJxNgT3DLe2Hbc/NS8GS4SoSxynDGLiWk2YIinuVMqGqTX4v80c/4H HcwLZomOcFKys6jGNVjcXI8RUhvR23dOUyhTwaPDjXPpv28cYKlhJ7EvlOAgqd+w SLarVFARnqAV+ClxP4VK =TGBt -----END PGP SIGNATURE-----