-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2015-0004 Full Disclosure SEC-25 Summary Feature requirements not enforced correctly by adminbins. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) Description Several adminbin scripts did not properly verify the features enabled for the cPanel account running the adminbin script. This allowed cPanel users to perform some configuration functions that were disabled for the account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.50.0.27 11.48.4.6 11.46.3.8 SEC-35 Summary Arbitrary file overwrite via cpbackup-exclude.conf lock file. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N) Description The cPanel & WHM account backup system allows users to exclude files from backups by placing a file named cpbackup-exclude.conf in the user's home directory. During backup operations, this file was locked, opened, and read by root. An attacker could leverage this behavior to overwrite arbitrary files on the system. Credits This issue was discovered by RACK911Labs.com. Solution This issue is resolved in the following builds: 11.50.0.27 11.48.4.6 11.46.3.8 SEC-36 Summary Arbitrary code execution via relative RPATH in PostgreSQL binaries. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) Description The incorrect LDFLAGS were passed to the PostgreSQL build process. This resulted in an invalid RPATH being added to the PostgreSQL shared objects and binaries used by cPanel & WHM. An attacker could use this flaw to execute arbitrary code if the binaries or libraries were loaded inside of the attacker's home directory. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.50.0.27 11.48.4.6 11.46.3.8 SEC-37 Summary Disclosure of files owned by nobody. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The cPanel & WHM account backup system records a list of files inside the user's home directory that are owned by the 'nobody' user. The list was generated while running with root privileges. This behavior allowed an attacker to discover the locations of files owned by the 'nobody' user inside paths the attacker could not traverse. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.50.0.27 11.48.4.6 11.46.3.8 SEC-38 Summary Arbitrary file overwrite via passwordforce lock file. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N) Description The forcepasswordchange WHM API call locks, reads, and writes the 'passwordforce' file inside a user's home directory. These operations were performed with root privileges, which allowed an attacker to overwrite arbitrary files on the system. Credits This issue was discovered by RACK911Labs.com. Solution This issue is resolved in the following builds: 11.50.0.27 11.48.4.6 11.46.3.8 SEC-39 Summary Arbitrary file append by updating an account's password. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N) Description When updating an account's password, the .my.cnf file in a user's home directory will be updated with the accounts new password. The modification of the .my.cnf file was being performed with root privileges, which allowed an attacker to append this data to other sensitive files on the system. Credits This issue was discovered by RACK911Labs.com. Solution This issue is resolved in the following builds: 11.50.0.27 11.48.4.6 11.46.3.8 SEC-42 Summary Email sending limits not enforced in jailshell. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) Description The email limits for an account are tracked using file in the /var/cpanel/email_send_limits directory. Inside a jailshell environment this directory was mounted read-only, preventing EXIM from enforcing the configured mail rate limits. Credits This issue was discovered by Matt Sheldon. Solution This issue is resolved in the following builds: 11.50.0.27 11.48.4.6 11.46.3.8 SEC-43 Summary ModSecurity rules not enforced on default virtualhost. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Description ModSecurity filtering is disabled for web traffic passed to the cPanel, WHM, and Webmail interfaces through proxydomains. The configuration directives used for this purpose incorrectly disabled ModSecurity filtering for all HTTP traffic directed at the server hostname or userdir URLs. Credits This issue was discovered by Alex Kwiecinski. Solution This issue is resolved in the following builds: 11.50.0.27 11.48.4.6 11.46.3.8 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVrqQBAAoJEJUhvtyr2U3fPOwQANI4W9e4MvxdP4RdRxmIVRBs OJg6KEsYhUMn9jyx9hcRB+e3E7HKtWYKMZamj57/kNVBc8JW0fUwntTeDe1AX8RU dOJVhGk89quYJ7fB2i6dSlxEI1yHiaV0GKm8Aqxl4nm8fUeEqJALyf2+yoOQk8Jn 1b0SMNWPjgPT7WLmQd04sxnRBQJv1m0iozOpZyxZ1rokoyWNT1rI79ME6+dPMk1d Qw1GkNoyfd8W0KDdjKqrV6P65Y9nlnE2+/hol9UPUBm4tbTLbZT/DX53xE5QQlFw ugQhuzFKsGyw96UfvtVy9xSngaugtN0ylrrIbRk+C88ionMCwDc/RQO9XjOJ8Yfl AoTdLKep5bPPtrgRdYZ6+nwZnWYXbgzu3g2LTGT+IAWj/qHgOv68obFORF04n3Q8 IgR61Y1LY+A6PwLzN2p/JngJiaUrmbhIWNhh2rD9Eben/gZeIGnMM5rSgyITBUCI OO5TT/Uek+Nt0aa7yHa+yUS7RGZVaJkHPR0YzjC+k+XxsOyMjAAAQ4GcGEZuElrb ieoN4c+E5af+03pNZTO+RT+VKiX0q9sS+b9VhdcRR2Bmjk0Bo9ybZAh/A7c+E90q tRwoDPYaeu5dTiw1oDnpg00dip4I970sAsZ6pDP6/zn1Us16q7qJz5JKDqyu2/uJ 9fpgdgK1mP1Wzf/5G7bv =wwQd -----END PGP SIGNATURE-----