-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2015-0003 Full Disclosure SEC-22 Summary Access restrictions on mail routing information not properly enforced. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Description The WHM, cPanel and Webmail interfaces each provide the ability to trace the route that email delivery takes. This routing information includes details about how email is routed internally on the server for local delivery destinations. Access restrictions were not correctly enforced in these interfaces, allowing users with limited privileges to view the private email routing details of other accounts. Credits This issue was discovered by Narendra Bhati. Solution This issue is resolved in the following builds: 11.48.4.4 11.46.3.6 11.44.3.5 SEC-26 Summary Self XSS Vulnerability in File Manager Upload. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description Error messages generated during a file upload failure may contain the file name. In some circumstances, the file name was not correctly escaped. This allowed javascript in the filename to run in the web browser. Credits This issue was discovered by Jasminder Pal Singh. Solution This issue is resolved in the following builds: 11.48.4.4 11.46.3.6 11.44.3.5 SEC-27 Summary Self Stored XSS in WHM Theme Manager. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description Theme names in the WHM Theme Manager interface were not properly HTML escaped when they were displayed. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.4.4 11.46.3.6 11.44.3.5 SEC-32 Summary External XML Entity vulnerability in cPanel WebDAV server. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description The method used to protect the cpdavd WebDAV server from XXE injections was incompatible with the version of libxml2 available on RedHat 5 and CentOS 5 systems. As a result, it was possible for a WebDAV virtual account to read arbitrary files in the home directory of the controlling cPanel account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.4.4 11.46.3.6 11.44.3.5 SEC-33 Summary Demo accounts allowed to download arbitrary files. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description A cPanel account in demo mode was allowed to download arbitrary files from the account's home directory using the getbackup, getsysbackup, and download URLs. These URLs are now restricted to non-demo accounts. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.4.4 11.46.3.6 11.44.3.5 SEC-34 Summary Demo accounts allowed to upload temporary files in some interfaces. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P) Description The Cpanel::Form module used by cPanel & WHM to parse HTTP parameters and file uploads is designed to prevent demo cPanel accounts from uploading any files to the system. This restriction was not correctly enforced for scripts in the 'base/backend' and 'cgi-sys' directories. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.48.4.4 11.46.3.6 11.44.3.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVVj05AAoJEJUhvtyr2U3f/9AQAJFayii68GtUB4LzZH1r4Yxi Eyx/nnQOa5yb0fqJlvE9sH0pjL9n9crjYugcVJPPaQjzIVJ6hWtdjHsqZmleNStr tqiL2yzI5nY+SmH+iHRod+AGB/VJEmZBCzLRbOm7rkjRtnIQ8RYNiqB9cn4KD4HP fMraQFoRR1q5zq4K4xWO7xljUalslrnYhxHOXa7mV1PmvOi58wkcpLcMoli2zX6l R9z3gzaJXXdORp6iyQ59OYiirQRp3LXUbjzPzajLkj+0CfgXpxg6zSI+spG63OGL xUa9FryOStcAJB5IEjyAY1Zr5foQcockCYz2aMsluOBg6U4phkPa7sfhQZ+qubkJ OdWgb0G/rHYIPnr9Pxu52VPStv7VcG1mbpyvoYhJKF6O4nRKdEAvPjJSdOSbc73r m2vO17Dk1m+0SmslsaEQh+VZQNb0qeF2DXtC793LLrzcTnsUDBFNbMhl0VLPQHgo B2sqqjw87V11cFFl2VDmkjo/0bDC1Ew49SnrRJCm3m+KDvFOXsOny9Ars1qmuvab khYaCGoUPBFMl7BujcfR4cCLbwItKLAEfUodWY3xm30XcR33dhAB/5i9EiEG+Twf f0i4fh+778w4nRuMi6o6Uw7zbXgeDUBh4pCy+1bLbUe9tDCGMEB3K1vS1Z7exjQh D/h57rL/fHqNY9zZKWHn =1Ajz -----END PGP SIGNATURE-----