-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2016-0006 Full Disclosure SEC-158 Summary Arbitrary file overwrite when account domain is modified. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N) Description When an account's domain name is modified, changes to the .htaccess file were performed as root. It was possible to take advantage of this in order to overwrite arbitrary files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.37 11.56.0.39 11.54.0.33 SEC-159 Summary Stored XSS in WHM Repair Mailbox Permissions interface. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description The output of the mailperm script that repairs permissions of mailbox related files did not properly escape file and directory names. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-160 Summary Stored XSS Vulnerability in the WHM Manage cPAddons interface. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description The cpaddons_report.cgi script was not properly escaping output when performing cPAddons management operations in WHM. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.37 11.56.0.39 11.54.0.33 SEC-161 Summary File overwrite during preparation for MySQL upgrades. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:N/I:C/A:N) Description Before performing a MySQL upgrade the existing my.cnf is checked and updated with new values if needed. During this process it was possible for an unprivileged user to overwrite existing files. Now the handling of the my.cnf file is done in a secure directory to prevent any tampering. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-162 Summary Open redirect via /cgi-sys/FormMail-clone.cgi. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Description There was an open redirect in the missing_fields_redirect parameter in FormMail-clone.cgi. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-164 Summary Arbitrary file overwrites when updating Roundcube. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N) Description When updating Roundcube, file operations are performed in the user's home directory as root. It was possible to take advantage of this in order to overwrite arbitrary files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-165 Summary File create and chmod via ModSecurity Audit logfile processing. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Description The archiving and removal of per-user ModSecurity audit records was not assuring that the user's directory was the correct type and ownership. This allowed creating files and changing the permissions of files as the target user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-168 Summary Enforce feature list restrictions when calling the multilang adminbin. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 1.7 (AV:L/AC:L/Au:S/C:N/I:P/A:N) Description The multilang adminbin did not check if the calling user had the multilang feature enabled. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-169 Summary Arbitrary code execution for ACL limited resellers during account creation. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description A flaw in the new account creation process resulted the Ruby 'gem' command running with the effective UID of the newly created user and the real UID of root. A malicious reseller account could leverage this flaw to execute arbitrary Ruby code with root's UID during the account creation process. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.37 11.56.0.39 SEC-171 Summary Format string injection in exception message handling. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) Description The error messages generated by adminbin failures were passed through Locale::Maketext multiple times. This caused user-supplied data to be used as a format string. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 SEC-172 Summary Self XSS Vulnerability in the tail_ea4_migration.cgi interface. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description The error output in the interface of the EasyApache 4 migration log in WHM was not properly encoded. This allowed an attacker to execute arbitrary code on the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 SEC-173 Summary Arbitrary file chown via reassign_post_terminate_cruft. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:C/I:N/A:N) Description The reassign_post_terminate_cruft script did not adequately prevent changes being made to directories it is operating on. This allowed for an attacker to change the ownership of an arbitrary file. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-174 Summary Stored XSS in homedir removal during WHM Account termination. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description During account termination within WHM the error output during home directory removal was not encoded correctly. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-175 Summary Stored XSS in MySQL database names during WHM Account termination. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description The output of MySQL database names were not properly escaped during the account termination process. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.37 11.56.0.39 11.54.0.33 SEC-176 Summary Stored XSS in perlinstaller directory removal in WHM Account Termination. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description During the account termination within WHM the error output during the perlinstaller directory removal was not encoded correctly. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.58.0.37 11.56.0.39 11.54.0.33 SEC-177 Summary Self-XSS Vulnerability in WHM Tweak Settings for autodiscover_host. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description The WHM Tweak Settings interface for the the autodiscover_host configuration value can produce an error message that was not adequately encoded. This could allow an attacker to execute arbitrary code on the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-178 Summary Self-Stored XSS Vulnerability in listftpstable API. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description The listftpstable API call did not adequately encode the FTP account's home directory. This allowed an attacker to inject arbitrary code into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-179 Summary Stored XSS in api1_listautoresponders. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description In custom themes, a call to api1_listautoresponders could produce output provided by an attacker via Webmail to the cPanel user that was not properly encoded. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-180 Summary Self-XSS Vulnerability in UI_confirm API. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The UI_confirm API call did not adequately encode form element names. This allowed for an attacker to inject arbitrary code into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-181 Summary Self-Stored XSS in postgres API1 listdbs. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description Database names were not properly HTML encoded when listed by the Postgres listdbs api1 call. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-182 Summary Self-Stored XSS in SSL_listkeys. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description In a deprecated API1 call to list SSL keys content could be printed out that was not properly encoded. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-184 Summary Self-XSS in alias upload interface. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description An improperly named alias backup file uploaded to cPanel could produce an error message that was not properly encoded. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-185 Summary Sensitive file contents revealed during file copy operations. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The Cpanel::FileUtils::Copy::safecopy() function did not preserve the source file's permissions during copy operations. This allowed other users to read sensitive files while the file copy was taking place. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-186 Summary Apache SSL keys readable by the nobody group. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description Apache SSL private key files were readable by the nobody group. This allowed unprivileged users to read the keys under certain Apache configurations. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-187 Summary Host Access Control improperly handles action-less host.deny entries. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N) Description Manually added entries to /etc/hosts.deny without an action specified were converted to allow action when the Host Access Control Page in WHM was used. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-188 Summary Arbitrary code execution via Maketext in PostgreSQL adminbin. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) Description In an error condition, the PostgreSQL adminbin passed user controlled text as part of a Locale::Maketext format string. By triggering an error in an SQL query used by the adminbin, it was possible to execute arbitrary code as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-191 Summary Code execution via cpsrvd 403 response handler. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) Description In some error conditions, cpsrvd used the requested filename in a Locale::Maketext format string while generating 403 responses. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 SEC-192 Summary HTTP POST to listinput.cpanel.net does not use TLS. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) Description subscribe_to_mailing_list did not use HTTPS which could have allowed the leaking of email addresses. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.25 11.58.0.37 11.56.0.39 11.54.0.33 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJYNJ3VAAoJEJUhvtyr2U3focYQANP2KleP1eF8O3PN/3nwyH55 h6jDE3pnTF6VYquUGb5zvBQ19zilASNvpvoj43cffuNWyJBIXmJLp0f+7bUqwsaE PNjVpOZAJrOjVdJ2FbkLYFSJ+Wl9mFhamaH2pq/yvfmthGl7lM0am9Ouy7vtwt6v aFPL9GKGA3o5K0C1vODwdFVwgrAxqQ/NME1nzTx6DMgS4ZPIC8ZVrlze5IlBTJpc eu5c1KPAv01//o1W0ohJ4PdWOcrjKhhtJOhJaJJ05XHkekgKvsSd+yDQUlxVpIcM KgSnD1d8BsPjrD5jexTRbAo4HayUKzeuk5vXbDCw+RkKeEXZeMmAV8nXKZ8cs1/v yXQywaLvHMoa7G2fNe0siNX7YEiXHXn2ej8K6jGf+zSs6qaNEA6ZS9K08q7hsA6M 3rvRemqUr6d4pXofas1lZz5eHa9cbHoRUJW1rqn0pjsGUjhZ0ESYsMwPhqAIIE+8 UvJjAM9dl6r883CofgXMGN7wy4Z2z7XkNxg1SV3EWyN0rXT+xSXQzk6NOvwG17PC J43rAv2tRiKtrEhAMc24nRU2VUoD8NWWlWk4q/+2lSl7J2UhHqEKjxfb9ABzaSoJ CAGiitUz1aMrSMEsYWvRA7gabdfdUg/QSWB0wX8vXmG72yPHNKAUFgkA/cD/U7s2 mcRLgjXzN5MaxqpglRPl =KxpG -----END PGP SIGNATURE-----