-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2014-0005 Full Disclosure Case 93317 Summary Limited SQL injection vulnerability in LeechProtect. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The LeechProtect subsystem built into cPanel & WHM systems allows a website owner to disable HTTP logins for accounts that log in from too many distinct IP addresses. This subsystem was vulnerable to a limited SQL injection in its handling of IP subnets due to incorrect escaping. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 93321 Summary Limited arbitrary file modification via LeechProtect subsystem. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The LeechProtect subsystem built into cPanel & WHM systems allows a website owner to disable HTTP logins for accounts that log in from too many distinct IP addresses. This subsystem performed insufficient validation of the data passed to it by Apache, which allowed a local attacker to modify the password files controlling email, FTP, WebDAV, or HTTP accounts for other users on the local system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 97233 Summary Process locking based on 'ps' vulnerable to attack by local users. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description Several subsystems in cPanel & WHM used the output from 'ps' to prevent multiple instances of an operation from occurring simultaneously. Due to flaws in the way 'ps' output was parsed, an authenticated local attacker could create processes that blocked these subsystems from operating. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 98253 Summary Insecure permissions on eximstats SQL password file. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The eximstats functionality of cPanel & WHM allows an administrator to generate reports of mail activity on the server. When switching to a remote MySQL server, the file containing the password for the eximstats database was set to world-readable permissions. This allowed a local attacker to gain access to the eximstats database. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 99749 Summary Bypass of account ownership restrictions during account creation. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM /scripts5/wwwacct and "createacct" API commands allowed resellers with limited privileges to supply unsafe "force", "forcedns", and "is_restore" options during account creation. These options would allow a reseller without the "all" ACL to take control over other existing accounts on the system and bypass other account creation restrictions. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 99861 Summary Update analysis logs sent without proper SSL certificate validation. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description cPanel & WHM includes opt-in functionality to submit copies of various system log files to cPanel for quality assurance purposes. This system posts a tarball containing the files to a cPanel controlled server using HTTPS. Validation of the SSL certificate used during this connection was disabled, potentially allowing an attacker to masquerade as the cPanel log processing server and connect the information being submitted. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 100677 Summary Arbitrary file unlink via fixwebalizer script. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The fixwebalizer script removed files from the target user's home directory while running with the effective permissions of the root user. A malicious local user could leverage this behavior to delete arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 100957 Summary Arbitrary YAML file read via import_old_support_cfg script. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The import_old_support_cfg script runs automatically during the nightly upcp process to migrate reseller support contact information settings from an old configuration format into a new one. This script performed an unsafe YAML file read inside the reseller's home directory while running with root's permissions. A local attacker could use this flaw to copy data from an arbitrary YAML file into their home directory. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 101677 Summary Bypass of account suspension via mail filters. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description cPanel & WHM's functionality for suspending an account allows mail delivery to continue normally while disabling website access. Using the mail filter functionality of cPanel & WHM, a suspended account could remove the .htaccess files used to disable website access. Apache virtual host includes are used now, rather than .htaccess files to prevent web access from being restored in this fashion. Credits This issue was discovered by Matt Sheldon. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 103341 Summary Arbitrary code execution via Mailman pickle files. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description Mailman uses Python pickle files to store configuration values. With some configurations of Apache, the pickle files used by mailman were given incorrect file ownership settings. A local attacker could utilize this fact to overwrite one of Mailman’s pickle files and execute arbitrary code when the pickle file was deserialized (BugTrack ID 5257). Under some circumstances, this would allow a local attacker to execute arbitrary code as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 Case 105337 Summary Arbitrary file read via Exim virtual aliases. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description A crafted string in an Exim user valias configuration file could allow a user to read any file on the system. This was caused by incorrect configuration of the user and group settings in Exim's router configurations. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Case 105353 Summary Bypass of commondomains and hostname restrictions in WHM Add DNS interface. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The WHM Add DNS interface allows a reseller to assign ownership of a DNS zone to a specific cPanel account. This interface did not enforce DNS zone restrictions against the use of the server's hostname or domains listed in the commondomains file. Resellers with the "create-dns" ACL could leverage this behavior to bypass these restrictions. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 Multiple Cases (10) Summary Multiple XSS vulnerabilities in various interfaces. Description Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below. Case: 99353 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /scripts2/sshkeys Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 99637 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts4/listaccts Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 100669 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /cgi/addrbl.cgi Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 100685 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts/reallyemailall Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 101013 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /cgi/diskusage.cgi Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 102853 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /cgi/easyapache.pl Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 102877 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts9/upload_legacy_file Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 104033 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/paper_lantern/ssl/viewcrt.html, /frontend/x3/ssl/viewcrt.html Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: Cody Brocious Case: 105229 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/paper_lantern/ssl/viewkey.html, /frontend/x3/ssl/viewkey.html Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: Cody Brocious Case: 105273 Security Rating: Minor XSS Type: Self-stored Interface: cPanel URLs: /frontend/paper_lantern/ssl/viewcsr.html, /frontend/x3/ssl/viewcsr.html Affected Releases: 11.44.1, 11.44.0, 11.42.1, 11.40.1 Reporter: cPanel Security Team cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload. Credits These issues were discovered by the respective reporters listed above. Solution These issues are resolved in the following builds: 11.44.1.5 11.44.0.29 11.42.1.23 11.40.1.18 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJT1pTuAAoJEJUhvtyr2U3fmbQQAJEjeNGgqfney39aeJKftAXV 5AgJO1EIk19quZI3HfGYOA1/iwoAUOFpLuU+WJBwa/u4la3p3JdKf1dHJZe55kJZ 85Tyc94ibgFrf24QZ6X0fm3DbgseaHpkkIXNoo+ehe0k41UPohX7pTimBab+UVU3 /K032wd6L/sMXFE471mqU+EXHqiMSl7YxSKODjxk7+V/tvKoXU3j2YESIABFZb7H 4indCWRAUoQq6rTaYm/U35upRiN2dB1c6BszxF6+4YWATJy+N8hIlCNMjJS4xnP/ ufAuJOzesKnPxitKCyLmkEMlR4zImURJ8JjYNk7RUL250cslSRU14LOyrm/5tSIt Xk6e5ADisp1d0iDkyFXI1tnHIemk9N51XrGB4WdhsrE0RDYaZ2J8jaN+duqckEAc cjBX0R9fkUdEaqxd64MhZST/nkGyDHoU7EbxUzfnAXYTnjeKXHjGsq93tYs4WTad Ttrii+njq3HVVVico2FaGdKWPd74htLPVwB4fy94m6G/QckH385PTYyivwNZd9GA +vb5gC4tZOoU8DrUqBo+jn2Xk1EVjISNJUjTjjscPnF/DqL+4SIlvUbqvLzUQlS+ cjjYFNPZt7ygxefc2Yk5R9ET6JdH3Q2EyqN3ImMYgHpMfn9RnoDBxq/CV9aE45Ke mr/ocAJhk+Kbu0OSCa9a =y4KF -----END PGP SIGNATURE-----