-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2014-0008 Full Disclosure Case 114917 Summary Resellers could delete feature lists they did not own. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description The check for ownership of a feature list was not functioning properly and allowed a reseller with limited ACLs to delete feature lists that they did not own. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.46.0.15 11.44.1.22 11.42.1.29 Case 115493 Summary Multiple Self-XSS vulnerabilities due to Template Toolkit setlist filtering. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description When using a FILTER statement in conjunction with SET or DEFAULT statements in Template Toolkit templates, the statements are not evaluated in the correct order. This makes the FILTER statement ineffective, in many cases creating self-XSS vulnerabilities. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.46.0.15 11.44.1.22 11.42.1.29 Case 115833 Summary Arbitrary code execution as root via chroothttpd. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The chroothttpd script was intended to run the Apache webserver in a chroot. It functions by creating directories in a non-reserved location within the /home directory. By creating a user with the name of one of these directories, a limited privilege reseller could affect the execution of chroothttpd and execute arbitrary code as the root user. This script is outdated and non-functional on current cPanel & WHM systems. It has been removed. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.46.0.15 11.44.1.22 11.42.1.29 Case 118105 Summary Anti-XSRF tokens disclosed during session based logins. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description When using session-based logins, the security token provided by the user was not sufficiently validated. This allowed logins using only information contained within the session cookie, bypassing the security token protections designed to mitigate browser cookie theft. Credits This issue was discovered by Aboutnet Support. Solution This issue is resolved in the following builds: 11.46.0.15 11.44.1.22 11.42.1.29 Case 127225 Summary Arbitrary file chown via backupadmin userbackup. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The backupadmin script parsed the output of pkgacct to determine the filename of the generated backup tarball. This could be abused by cPanel accounts to chown arbitrary paths on the filesystem to the attacker's UID and GID. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.46.0.15 11.44.1.22 11.42.1.29 Case 132769 Summary Arbitrary file read via ExampleModule_printfile API1 command. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description A cPanel user could use the ExampleModule_printfile Api1 call to read files outside of their home directory. This flaw could be used to bypass other restrictions on the cPanel account such as demo mode or jailshell. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.46.0.15 11.44.1.22 11.42.1.29 Multiple Cases (7) Summary Multiple XSS vulnerabilities in various interfaces. Description Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below. Case: 115757 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/stats/bwday.html, /frontend/x3/stats/bwday.html Affected Releases: 11.46.0, 11.44.1, 11.42.1 Reporter: cPanel Security Team Case: 115837 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/psql/addbs.html Affected Releases: 11.46.0, 11.44.1 Reporter: cPanel Security Team Case: 117153 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/doclonetheme Affected Releases: 11.46.0, 11.44.1, 11.42.1 Reporter: cPanel Security Team Case: 117673 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/subdomain/index.html, /frontend/paper_lantern/subdomain/index.html Affected Releases: 11.46.0, 11.44.1, 11.42.1 Reporter: Vignesh Kumar Case: 132617 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts2/dogencrt Affected Releases: 11.46.0, 11.44.1, 11.42.1 Reporter: cPanel Security Team Case: 132657 Security Rating: Moderate XSS Type: Stored Interface: WHM URLs: /scripts2/edit_sourceipcheck Affected Releases: 11.46.0, 11.44.1, 11.42.1 Reporter: cPanel Security Team Case: 133745 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts2/ftpconfiguration, /scripts/resproftpd Affected Releases: 11.46.0 Reporter: RACK911Labs.com cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload. Credits These issues were discovered by the respective reporters listed above. Solution These issues are resolved in the following builds: 11.46.0.15 11.44.1.22 11.42.1.29 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUc4YWAAoJEJUhvtyr2U3f0dYQAMhL8qZdomqbJ+MP7IYY+5uw CRjzA4GAx63NfRiel8JCtmNZIP0jHRvuE4GAxog+C5C9YhT9W+u8gK9gL4bI90OE v8vopG9Mns8TRvzsSDlZmtu6MZJdqyzxwBC2SUfkPz+Hl4RmL5LpV6RE6CJOtylH joLYagO9wtAd88f1gpiglhW2kQX7Vs00p3lw2C75uDaWDPgNonDGTEuEcXvHMaTl tb1ryKOSaeO7JY5PNO/Pamcd6klMZ6ATKA/0bk0sRaF/QT+3GvXwBLWfNwNMwrfz 0OZAKhyiX0t2g5hxiJ+d3i+dUJ8/VJ9wxVYGzbSaXM17UtEYD6vJrDb5Ee8+ODXW e3lqeqZbAtP8cckZTXOcyKWUP9KdowDPiI7UG3wzJPL8G+j6bryN+3EA+FbyEQ+i 5RTo0W2fk7dRUzkeXIkttTsNIMEFF22JI7yxCwrXfEHkgkCaql0cKoOxk6dxHi27 3B5IlGxvejCKeI13lgQQN2it4V/HYUHnwTYsXbrQpLNTNE4gNWdGz89I1Fm+z5An ZFfCbU//xj0id5TE2m8ccZ68x1WbcQMNiPAvvW7VlyZAWCLH5IJbkVuDXbYHhQsz ZxQlbPdcEoFMRHqZ/w8mIOk3VcTx7dNNDp/2QcNk7HL36Y3sFcl+2Zc2UHAykU1n 9YefPtaylbVNM6MSX++T =9IrA -----END PGP SIGNATURE-----