-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2016-0004 Full Disclosure SEC-130 Summary Apache logfiles start with loose permissions. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:L/AC:L/Au:S/C:P/I:N/A:N) Description The Apache domlogs were originally populated with loose permissions during creation. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.4 11.56.0.27 11.54.0.26 11.52.6.2 SEC-133 Summary WHM 'Purchase and Install an SSL Certificate' page lists all server domains. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description Under the WHM 'Purchase and Install an SSL Certificate' page, resellers could view all domains present on the server, rather than just those that they own. This could be used for domain name enumeration. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.4 11.56.0.27 SEC-134 Summary File ownership change to 'nobody' via rearrangeacct. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N) Description The method used to re-assign ownership of files to the 'nobody' user in rearrangeacct was subject to a time-of-check/time-of-use vulnerability. It was possible for an attacker to take limited advantage of this to cause the ownership of a file to be assigned to the 'nobody' user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.4 11.56.0.27 SEC-137 Summary Set the pear tmp directory during php install. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 1.0 (AV:L/AC:H/Au:S/C:N/I:P/A:N) Description When pear is installed, the default tmp directory was under /tmp. Other RPM's use pear and write predictable tmp files. The tmp directory was moved to /root to prevent anyone from tampering with these files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.4 11.56.0.27 11.54.0.26 11.52.6.2 SEC-138 Summary Demo mode breakout via Site Templates and Boxtrapper API calls. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Description Using a combination of the Site Templates and Boxtrapper API calls, it was possible to create a php file and have it placed in the account's home directory. This allowed for an attacker to break out of a demo mode account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.4 11.56.0.27 SEC-139 Summary Improper session handling for shared users. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Description The session storage location for the shared PHP web applications that run under cpsrvd was misconfigured. This allowed certain types of PHP object injection attacks. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.4 11.56.0.27 11.54.0.26 SEC-142 Summary Code execution as other user accounts through the PHP CGI handler. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Description Under some configurations the CGI PHP handler would execute PHP scripts as the wrong user and group. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.4 11.56.0.27 11.54.0.26 11.52.6.2 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJXjnNQAAoJEJUhvtyr2U3fdXMP/RoUf++8RujcJNkyu3DUJI2a DSO12wuvkNSyXLzThh7z3AzBKAXr2HhM6KJM19+41QKGLURwI8M8bk+tDdFCdqXS 6H4LNTCQLM16jOdppuq4ZGMw6GZ3TA9BFAu7VJ5bhq0fpkxtAizP4Ma6zy4Z0O5u rqpBPduHfER8Rl29nJS/TJzfIjQ6jySJm9dMXGLvn3o9hf/ajy06czs9VPIRbl4D nfroRNE2dwkB66q+Wtx7k9Xvt8OsTFpkgNYdc9EZiR62kICnu+en1AI5riWL82+9 gyV+948sR3R4zlpGR+AvMN24Tl/qk0kP7s4yMFTOyNYye+q8HVcvFcZSbSMRKQwP Y+yq7RWA0XMgsObTmT0WqCAjztyQDVzYvdnjPlysVBSqKdqFliUoVRUSu15OBry5 maC6Ug8DLMAWmdq48WqaC47KA+y8CPexLau5OWBmShSr5HqVYj3hxbHqa8P7CBrN FAToxH6YTgU9Fv8mAJA1l2xc7NxO9SfpI1d/lCc9Lun2mVJWXMggqJ9tgWUiGUgx G/+yqjCDnG9ZXjOrdREKbI4tsDzIN9ravRm+9nvcDG2i/SWkkH5OA9qo/mN+968q aecxpGWbPqeHTQgjrHjL27otuchSHVx/FrZIxdVXmJ1YHj4Os3PzDKLNQD4LcwAX Jcg77LqycLJKN4FFJ4ka =udDs -----END PGP SIGNATURE-----