-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2016-0003 Full Disclosure SEC-58 Summary SQLite journal allowed for arbitrary file overwrite during Horde Restore. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.6 (AV:N/AC:H/Au:S/C:C/I:C/A:N) Description During a Horde restore using the old-style CSV data files, the SQLite database is opened as the user. However, actual writes were done as root, and SQLite does not open the journal file until these writes are made. This allowed the journal file to be opened as the root user permitting arbitrary files to be overwritten. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-109 Summary Demo account arbitrary code execution via ajax_maketext_syntax_util.pl. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Description A Demo account user could execute code by passing certain maketext functions to the ajax_maketext_syntax_util.pl script. Demo accounts are now restricted from using the aforementioned script. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-110 Summary Self XSS Vulnerability in Paper Lantern Landing Page. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The return_url parameter passed to the Paper Lantern landing page was not sufficiently encoded. This allowed an attacker to execute arbitrary code on the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 SEC-112 Summary Limited denial of service via /scripts/killpvhost. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P) Description The killpvhost script did not adequately escape the passed domain name when matching it against entries in the ProFTPD configuration file. By removing an account that contains regular expression metacharacters, an attacker could also cause the removal of a targeted account's dedicated IP address FTP configuration. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-113 Summary /scripts/addpop and /scripts/delpop exposed TTY's. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description When running /scripts/addpop and /scripts/delpop, root's TTY could be leaked to an unprivileged user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-114 Summary /scripts/checkinfopages exposed TTY to unprivileged process. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description When running /scripts/checkinfopages root's TTY could be leaked to an unprivileged user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-115 Summary /scripts/maildir_converter exposed TTY to unprivileged process. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description When running /scripts/maildir_converter root's TTY could be leaked to an unprivileged user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-116 Summary /scripts/unsuspendacct exposed TTY's. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description When running /scripts/unsuspendacct, root's TTY could be leaked to an unprivileged user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-117 Summary /scripts/enablefileprotect exposed TTY's. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description When running /scripts/enablefileprotect, root's TTY could be leaked to an unprivileged user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-118 Summary Self-XSS in ftp account creation under addon domains. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description Self-XSS existed in the FTP account creation section of the Addon Domain page due to unescaped HTML. Credits This issue was discovered by Saad Loukili. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 SEC-119 Summary Demo restriction breakout via show_template.stor. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Description Inconsistencies in the way cpsrvd handled the document parameter allowed for the show_template.stor script to be executed in an unexpected context. This allowed for arbitrary code to be executed under demo accounts. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-120 Summary Arbitrary file read for Webmail accounts via Branding APIs. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Description The cPanel API 1 Branding calls did not adequately validate the brandingpkg argument. This allowed for Webmail accounts to read arbitrary files under the owning cPanel account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-121 Summary Webmail account arbitrary code execution through forwarders. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Description The cPanel API calls that allow modification of an account's email forwarding settings did not properly sanitize the provided forwarding options. This allowed Webmail accounts to inject shell commands into the forwarding system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-122 Summary SSL certificate not verified during license updates. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) Description The SSL certificate of the cPanel license server was not verified during license update requests. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.54.0.24 SEC-123 Summary SQL Injection via ModSecurity TailWatch log file. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Description When generating SQL statements for the ModSecurity TailWatch log file (used in the case that mysqld is not able to communicate), the values inserted into the statement were not properly interpolated. This allowed for arbitrary SQL to be injected into the file, which the admin of the server would then be prompted to run. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 SEC-124 Summary Log file permissions not set correctly in dnsadmin-startup and spamd-startup. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description When creating new log files, dnsadmin-startup and spamd-startup opened them with default world-readable permissions. This allows for potential leak of sensitive information. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 SEC-125 Summary User log files become world-readable when rotated by cpanellogd. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description When rotating user log files, cpanellogd created the new empty files with world readable permissions. This could potentially allow for an attacker to read sensitive information. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.56.0.15 11.54.0.24 11.52.6.1 11.50.6.2 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJXO1GKAAoJEJUhvtyr2U3fa1wP/3zSPH2KMbVCmHE0KXN3bYv1 Ja7ehjMPsVPtQlD5sFXMj+WBdNpihYN9LYk4Va8JIEFDIulRHn/ArLm1bsy9lBNy U1C0OA8jM9mT1l15L8JE0+pHcqZcvFNNKhUKLQtRPqsTHFNaFMCAqdruFdvnlV7e sFD/Jqv+rMG2k+3ugUb7RoMWuGP7lezUbP2f9kCcjPaWTEWSyHSz/5BcnpYfkU4i 5lGIjv4RsmwB2mCriBVdk7k1qZHDAXbz8BHuMqZ9X/yjd1MXXGycSV/lmPnw7wG5 SxXE2CDjJaFoPqsbH9cMXZoIgoL6/oMrXXvnB1eVtXU6Nm28ef7CA1UCzPUcN0xS iMIEYgY4lboxCie9glPO9erPDUwpptFX8vdO6RSgJhjS0QV+xXf+SKTg3Zfwm6pV FGASKqsn+O4yBpwlfCkYQufZPvCCn4q6stUFArROIPUtQX8+eVJUN565YS6kINpn SfkKq7v9eM9EGJhgg/fTHceR5YfUaTrhRzYruZEDeTDGjBnhNrc1JdOAiRc1TRGT USuzhiTGdi+UxA/b+/Gmt5xvduZR0W89Mr+ACuAf0NQY4b5MrlyTHEDB4HblBvjS TJQoP/Dh1jDlYx83PQi23hP3D6N0bqCiWTGZSVgbgAS3wTpR0GCZLZhE4ZxIfirc hxOzU9KgoByVs5T2NhZd =k0eD -----END PGP SIGNATURE-----