-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2014-0007 Full Disclosure Case 109049 Summary Arbitrary file overwrite in /scripts/synccpaddonswithsqlhost. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The synccpaddonswithsqlhost script performed unsafe file operations inside the home directories of unprivileged users while running with root's permissions. By manipulating symbolic links within the .cpaddons sub-directory, a local attacker could overwrite arbitrary files with known data. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 Case 109469 Summary Bypass of email and webdav access during account suspension. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description To disable email and webdav access during an account suspension, the shadow files for the accounts are modified. These shadow files reside in the suspended user's home directory. By removing write permissions from these files, the user could prevent modifications and preserve access for email and webdav virtual accounts. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 Case 109789 Summary Bypass of account suspension lock via account rename. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The cPanel & WHM logic for suspending accounts allows the root user to lock a suspended account so that the reseller who owns the account is unable to unsuspended it. A reseller with the edit-account ACL could bypass this lock by renaming the suspended account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 Case 109797 Summary Bypass of locks for account unsuspension in scripts/remote_unsuspend. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The cPanel & WHM logic for suspending accounts allows the root user to lock a suspended account so that the reseller that owns the account is unable to unsuspended it. Resellers could bypass these restrictions using the remote_unsuspend WHM interface, which did not check for account suspension locks. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 Case 112041 Summary Arbitrary file overwrite in checkstunnel script. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The checkstunnel script attempts to generate a working configuration file for stunnel. During this process, a temporary configuration file is written to a predictable location in /tmp. By placing a symlink at this location, a local attacker could overwrite an arbitrary file with predictable contents. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 Case 112361 Summary Arbitrary file overwrite via Tailwatch cPBandwd driver. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The Tailwatch cPBandwd driver parses the mail logs to track bandwidth usage for accounts on the system. The username from a parsed log line is used in constructing the path to the file in which bandwidth usage is tracked. By carefully manipulating the username of an account logging in, an authenticated attacker could create or overwrite arbitrary files with known data. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 Case 113101 Summary Arbitrary code execution as shared webmail accounts. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description When processing HTTP requests, the cpsrvd daemon strips several path traversal sequences from the requested URI before translating the request to a path on the filesystem. Flaws in this logic allowed an authenticated attacker to craft a request that would execute arbitrary PHP code while running as one of the shared webmail accounts. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 Case 113477 Summary Arbitrary code execution as cpanel-horde user via cache file poisoning. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The Horde Webmail interfaces accessible to cPanel and Webmail accounts uses PHP serialized cache files to speed up some backend operations. These cache files were stored in the world-writable /tmp directory with predictable names when Horde was accessed using the cPanel interfaces. A malicious local attacker could pre-create the cache files inside /tmp, leading to arbitrary code execution as the cpanel-horde user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 Multiple Cases (5) Summary Multiple XSS vulnerabilities in various interfaces. Description Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below. Case: 109009 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /cgi/trustclustermaster.cgi Affected Releases: 11.44.1, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 109029 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /scripts2/basic_exim_editor Affected Releases: 11.44.1, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 109037 Security Rating: Minor XSS Type: Self-stored Interface: WHM URLs: /scripts/spamdconf Affected Releases: 11.44.1, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 109045 Security Rating: Minor XSS Type: Stored Interface: WHM URLs: /scripts/servup Affected Releases: 11.44.1, 11.42.1, 11.40.1 Reporter: cPanel Security Team Case: 110169 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts4/listaccts Affected Releases: 11.44.1, 11.42.1, 11.40.1 Reporter: Rohan Durve cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload. Credits These issues were discovered by the respective reporters listed above. Solution These issues are resolved in the following builds: 11.44.1.18 11.42.1.26 11.40.1.21 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJUFy7GAAoJEJUhvtyr2U3fjaEQAKo7vd244K0k66mWJOY7uxUz ryfS+fzDlwsMSHK1Sr2s7u0zBN9/BugH/y8SCjxLGPwuQvYx96IMVsOhfC0fgIsI MSG3CWYTgVj5BJSY8JjOJEq+/gVzPZ4r1mK/8bsjiDO5BuyxQObnqXQSvkeDi/0B fB220K+TKDZ70jKU2u0ZMYl9qo9hqO7sPgPGWusIGvz67DCeVARPq4CS5lHJJVU+ uScH01kSnwwbsAsJhBI8KeSQfVqezwoF5xWHLQsrAnUVw95NNChqQccl+hClxlHb vyML7U1DMB3FQdnJeZJ17AlbloOtRxqkZiqJXLJ0bFwfhXpoM47U3Sd03mfPHkfc buvtj96r059iP+1+IO36cRp3/XiPNPO/PDQvdFGUuTV3GTnOa1LROlYXcoCRw1UD hCLal+hUUpzWLuaYlr0BclAmIxUs2Sg13HBxX7MnK5adQJHBrXzgNVT211oUeV83 pATjfUMf4E+lKWFMKGbePtb8IZEMDoIzF2/7IF3Jlu8sF0TNl5VZvJOQ78Sh6jjg kHi6LloX3niUy93bsAmsWZd66peppx7KRANP8o7Ii++EcKEElUtjZWbjEphsIGFM vykQ9DyRA+K84jKldB6ygE1K8Dd/yjgB965GHHsAk1sMyNjMmrzSiAC5NgwAt0Bt fwFaPaCD4O8pCpjdZQEl =R4Al -----END PGP SIGNATURE-----