-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2016-0001 Full Disclosure SEC-46 Summary Arbitrary code execution via unsafe @INC path. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Description The Perl scripts that collectively make up the cPanel & WHM product were not uniformly filtering the current working directory '.' from Perl's module library load path (@INC). Under some circumstances, this allowed an attacker with the ability to modify the contents of the working directory to run arbitrary code as the user who executes the script. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-69 Summary Limited arbitrary file modification during account modification. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description During account modification, file changes were performed as the root user inside the cPanel account's home directory. By creating a symbolic link in certain locations, an attacker was able to modify arbitrary files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.52.2.4 11.50.4.3 11.48.5.2 SEC-70 Summary Arbitrary file read via bin/fmq script. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:C/I:N/A:N) Description The bin/fmq script performed unsafe file operations within a user's home directory. By creating a symlink to an arbitrary file, an attacker was able read otherwise inaccessible files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-71 Summary SQL injection vulnerability in bin/horde_update_usernames. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N) Description The bin/horde_update_usernames script performed SQL queries without the adequate escaping of untrusted data. This allowed the injection of arbitrary SQL statements. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-72 Summary Arbitrary code execution vulnerability during locale duplication. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description During the execution of locale_duplicate.cgi, temporary files were created in an unsafe manner. By careful manipulation of the temporary files, an attacker could inject and execute arbitrary shell commands. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-73 Summary Password hashes revealed by bin/mkvhostspasswd script. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The bin/mkvhostspasswd script creates a temporary working file while updating the passwd.vhosts file. The permissions on this temporary file were in an insecure state momentarily. This allowed an attacker to read the file's contents. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-74 Summary Limited arbitrary file read in bin/setup_global_spam_filter.pl. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description The bin/setup_global_spam_filter.pl script performed unsafe file operations in the home directory of the cPanel accounts as the root user. By manipulating the input files, an attacker was able to view the content of arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-76 Summary Code execution as shared users via JSON-API. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) Description The cPanel URL dispatch logic for JSON and XML API calls allowed cPanel and Webmail accounts to call API commands while running with the privileges of shared user accounts. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-77 Summary Password hash revealed by chcpass script. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The scripts/chcpass script allowed the crypted form of a user's password stored in the /etc/shadow file to be updated. It took the crypted password as a command line argument, exposing this information to other users on the system. This code was not actively used by the cPanel & WHM product and has been removed. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-78 Summary Arbitrary file overwrite in scripts/check_system_storable. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description By default, the check_system_storable script created a predictable .tmp file in an insecure location. This allowed an attacker to overwrite arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-79 Summary Arbitrary file chown/chmod during Roundcube database conversions. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 5.9 (AV:A/AC:H/Au:S/C:C/I:C/A:N) Description During the MySQL to SQLite database conversion process for Roundcube, a chown and chmod was performed as the root user within a user-writable directory. This allowed an attacker to gain control of arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-80 Summary Arbitrary file read and write via scripts/fixmailboxpath. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.5 (AV:N/AC:L/Au:S/C:C/I:P/A:N) Description The fixmailboxpath script performed file read and write operations as root inside the cPanel users' home directories. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-81 Summary Arbitrary file overwrite in scripts/quotacheck. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) Description The quotacheck script performed reads and writes of files in cPanel users' home directories while running as the root user. This allowed an attacker to overwrite arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-82 Summary Limited arbitrary file chmod in scripts/secureit. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description During the cPanel installation process, the secureit script searches the /usr/ directory for setuid and setgid files. After filtering this list, it removes the setuid and setgid bits from any remaining files. The filtering logic did not account for the world-writable ModSecurity audit log directory, which allowed an attacker to remove the setuid and setgid bits from arbitrary files or folders on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-83 Summary Arbitrary code execution via scripts/synccpaddonswithsqlhost. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Description Unsafe file operations within a user's home directory in combination with a string eval allowed an attacker to execute arbitrary code as root when the synccpaddonswithsqlhost script was executed. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-84 Summary Self-XSS in WHM PHP Configuration editor interface. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description The SMTP field was not sufficiently escaped when displayed on the WHM PHP Configuration editor output in Advanced Mode. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-85 Summary Missing ACL enforcement in AppConfig subsystem. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description AppConfig did not perform proper ACL or feature list checks when a "user" was not specified or the "dynamic_user" functionality was used. In these circumstances a user could access the app regardless of any ACLs or feature requirements. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-86 Summary Stored XSS in WHM Feature Manager interface. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description Package names were not sufficiently escaped when displayed on the WHM Feature Manager interface. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 SEC-87 Summary Self-XSS in X3 Entropy Banner interface. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I/A:N) Description The "link" variable was not sufficiently escaped when displayed on the changelink.html page in the X3 Entropy Banner interfaces. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 SEC-91 Summary Unauthenticated arbitrary code execution via cpsrvd. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Description cPanel & WHM's internal web server, cpsrvd, did not correctly filter the request URI when processing incoming requests. Due to this, it was possible for an unauthenticated attacker to read arbitrary files and execute arbitrary scripts. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.4 11.52.2.4 11.50.4.3 11.48.5.2 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWp6DAAAoJEJUhvtyr2U3f6RQQAMZEnewb3UmXeJsK1IbmWHp3 BrEjM34V3gS6sG6+iRAIMepUnganqdJtSfLlB1wCWAG8ZJrDglU1msbNLtFx7xXw 61sdKBoMnK7o9rPh0IOObJDHhgsAOGFx2yqwNGvmF3YpI1Q+MLfEwiEhVORxnG3A EF+gOyuVw1l/f0SNVaU1rcmVa2aNr3Dr5PsfZvJfwdkOpCZk73osBSnQZamuMk+q aDjd2hLk3phL6ZtIrjEaJNS0b1lVSFfJdFl/7/t5Erh2FznL5YE+YGIZlDQTzwyO f1YA5TQECZs0uFdiZNoi9CTO3sxvq+tffn63sMZBhGrNfCiwDP5YrzGlPHQfv6CG u+RTTa4LYIUu40//gK41qzR0lKlL3vfnewXW0vQVzXezoS0m3lXIKqSn6ucvMazh a7rnXHFjytOXDDnU279znV/uIf73h8Jfthy9Gr8T2jipOwCk3nJjltlW3MFdqhik X7UzuzRSvt2HqdwlAfaS/8ZBYYIEZDk9Kx4RSVRwOid2SsZV2Rc/KyeEvNULrSkq s3zkLQxtzl3gTcKHrnpolo8JEIFaI6HyxqQfbGBydfr1Cz8gWkTI/NgJZzVcl2+T jE4KkeSOtDDEWTwFlGJ40kHhHD1YtLZeECaF/JPfj46VI96Oevji3hQALaOGrUoI l+AiBIZaHRDGpcJaLKSY =ghxe -----END PGP SIGNATURE-----