-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2015-0002 Full Disclosure SEC-2 Summary Multiple vulnerabilities via ExpVar overexpansion. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) Description The WHM, cPanel, and Webmail interfaces use a common routine named "expvar" for interpolating user input and some cPanel template variables. In many interfaces, this function could be tricked into over interpolating user-supplied inputs to bypass context specific escaping or execute arbitrary code across privilege boundaries. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-3 Summary Arbitrary code execution via secondary ExpVar expansion in API2 engine. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) Description The WHM, cPanel, and Webmail interfaces use a common routine named "expvar" for interpolating user input and some cPanel template variables. In the cPanel API2 templating and tag engine, this function was called on tainted data returned from API2 calls which allowed the execution of arbitrary code across privilege boundaries. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-6 Summary Security token disclosed during xfer logins. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Description When doing an xfer login from WHM to cPanel or from cPanel to a webmail virtual user, the security token was disclosed to the lesser privileged user. This allowed possible XSRF attacks into the higher privileged interface. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-9 Summary Limited path traversal and configuration leak in Mailman Cache Regeneration. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description When regenerating the Mailman mailing list configuration cache for a user, a list of mailing list names is provided. These mailing list names were not checked for validity or ownership. This allowed an attacker to test for the existence of files on the system or display a limited set of configuration keys for arbitrary mailing lists. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-10 Summary Format string vulnerability in maketext API1 function. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) Description cPanel & WHM uses the Locale::Maketext Perl library to provide translations for users. Locale::Maketext is vulnerable to string attacks if an untrusted user is allowed to provide the maketext format string. cPanel and Webmail accounts were allowed to call this function directly using remote API1 commands. With specially crafted format strings, this allowed webmail virtual accounts to run arbitrary code with the effective UID and GID of the cPanel account that owned the virtual account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-12 Summary Limited arbitrary file chmod in cpsrvd. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description There was a race condition during a chmod call after a UID/GID switch to the app user. This allowed an authenticated attacker to chmod arbitrary files on the server using the privileges of the app user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-13 Summary Convertmaildir script reveals contents of arbitrary directories. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description When converting from an mbox-file type email account, the convertmaildir script reads the content of a user's ~/mail directory. This directory read was performed as root. By creating a symlink to another directory, the script could be tricked into revealing the file names contained within the target location. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-15 Summary Stored XSS in /frontend/x3/stats/lastvisit_legacy.html. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Description The "Legacy" Latest-Visitors page in X3 includes generated links to the referring URIs of website visitors. An attacker could insert values into the referrer string that would cause arbitrary javascript to run when the links were clicked. Credits This issue was discovered by Mateusz Goik. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-16 Summary Stored XSS in /cgi-sys/guestbook.cgi. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Description The cPanel Guestbook allows visitors to include a link-back URL on submitted entries. An attacker could insert arbitrary Javascript into this URL, which would run when clicked by other visitors to the guestbook. Credits This issue was discovered by Mateusz Goik. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-17 Summary Arbitrary code execution via ExpVar expansion in UI_finishaction API1 command. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N) Description The WHM, cPanel, and Webmail interfaces use a common routine named "expvar" for interpolating user input and some cPanel template variables. In the cPanel UI_finishaction API1 call, the function was called on tainted data provided by the cPanel user allowing the execution of arbitrary code that could bypass demo or jailshell account restrictions. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-18 Summary Self-XSS vulnerability in /backend/mailappsetup.cgi. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description The mailappsetup.cgi script generates a ZIP file containing a user's configuration data for Mail.app. The name of this ZIP file is generated based upon query parameters passed to the script. These parameters were not sufficiently sanitized. An attacker could use these parameters to conduct an HTTP response splitting attack to inject arbitrary HTTP headers and HTML content into the response returned by the server. Credits This issue was discovered by Mateusz Goik. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-19 Summary Self-XSS in multiple interfaces via QUERY_STRING. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description Multiple interfaces within cPanel and WHM reflected the raw QUERY_STRING back to the browser. This raw QUERY_STRING was not processed or encoded beyond the URI encoding performed by the browser itself. Some browsers encode only a limited set of characters in query strings, allowing unsafe javascript to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-20 Summary Arbitrary code execution for webmail accounts via printhelp API1 command. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Description The printhelp API1 function expanded arguments passed to it with ExpVar twice. By passing a carefully crafted request to a webmail page utilizing this function, a webmail virtual account could execute arbitrary code as the cPanel user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.1.3 11.46.3.1 11.44.3.1 SEC-21 Summary Reflected XSS vulnerability in /whm, /cpanel, and /webmail redirects. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Description The standard redirects from Apache into cPanel & WHM services retain portions of the URI provided by the user. This data was not correctly escaped for rendering into a javascript string, allowing unsafe javascript to be injected into the rendered page for some browsers. Credits This issue was discovered by Trustwave. Solution This issue is resolved in the following builds: 11.48.1.3 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVBx4YAAoJEJUhvtyr2U3fxzcP/iA225bRZP0eAM1eDKxDEMP8 R+/vg/ub6r4K6nT926HSEjKT/7WGaBEKaPmcPryxVVyuBZgec28ee4eOAyfM11/6 RG5DVoDstHtxcxWSnzd8nPg40Qj6neZKUmBAYBbkyya2BRiF9I4G/DfcmXvbl8/l Xm/2uUlUI0n5Z9p060r+im0r9brXgAKas0ZfhZKt94HYHssCTurQD8qTS2VJaMOa mTyUX8Kg7l1anKI7VhqwDL7yJQzzj7/XU+mrgE6oXQTsmTyWOGbU2F6BlWmi6oPz T5GbjtJJhNTxC/C8zNDV+MDQeiGoHPerYWxYfRfw0wNBqNr6ln0D8gEwwjkY0BWt s98jr02Q/7YVddWOLAn7dHFUFps1CB/vF4MwiBLCmmbvJiz/AR3aw0JeMfE/Vqyr HW2szPiqDGiS4jhIofS2yFTu+Bd7YneiaYlR4VpVazJzaFUvrAteVg55SGXyTJci hPJyrOqWaoqttrJBfkpEG60RgEXD4FVtFnQU31soG/s2mPl74zyAzYhRxrEalMJ9 c2WWcXIaEobePodbyMrpcRQffoIaR6p+7fPCARVXQqg2omd6SuC3ODzCle1bjQ0N A8vNphftkyTgo62eVgWzozqaWivcRFOz3CUabB9PBXlZspUGdjn+bXs+LXxKoTIK 75xaPFo+JtU8/bMLn3yk =U7Kn -----END PGP SIGNATURE-----