-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2017-0001 Full Disclosure SEC-196 Summary Fixed password used for Munin MySQL test account. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Description The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel's current configuration of Munin, this MySQL user is no longer required and has been removed. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-197 Summary Self-XSS in paper_lantern password change screen. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description Certain form variables on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-198 Summary Reflected XSS in reset password interfaces. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Description The user form variable on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 SEC-199 Summary Self-XSS in webmail Password and Security page. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) Description Certain form variables on the webmail password and security page could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-201 Summary Arbitrary file read via Exim valiases. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N) Description When processing the valiases for a user, Exim was running as the root user. By creating a valias that included other files, an attacker was able to read arbitrary files as the root user. Credits This issue was discovered by RACK911Labs.com. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 SEC-204 Summary Exim piped filters ran as wrong user when delivering to a system user. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Description Piped commands executed by the central_user_filter were run as the nobody user. Now the filters are run as the system user's UID. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-205 Summary Leech Protect did not protect certain directories. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Description The Leech Protect system allows admins to detect unusual amounts of activity on password protected directories. This system was not functioning on directories with a two character name. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-206 Summary Exim transports could be run as the nobody user. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) Description It was possible to run exim transports as the nobody user if the receiving email domain was removed during delivery. Transports will now run as the proper user even if the domain no longer exists. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-207 Summary Improper ACL checks in xml-api for Rearrange Account. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description Using the 'fetch_transfer_session_log' API, it was possible to fetch transfer information created by other resellers. This could reveal potentially sensitive information to an attacker. Credits This issue was discovered by RACK911Labs.com. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-209 Summary SSL certificate generation in WHM used an unreserved email address. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description In WHM, if you generate a certificate using the "Generate an SSL Certificate and Signing Request" interface and select "When complete, email me the certificate, key, and CSR", it used "admin@" as the from address. The account name "admin" is not reserved in cPanel & WHM, so if this account was created, it would intercept any replies or bounces. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-210 Summary Account ownership not enforced by has_mycnf_for_cpuser WHM API call. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N) Description The has_mycnf_for_cpuser WHM API call did not verify the caller's ownership of the specified account. This could allow for a limited amount of information about the user's MySQL configuration to be leaked. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-211 Summary Stored XSS Vulnerability in WHM Account Suspension List interface. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) Description When viewing the WHM Account Suspension List with the 'nohtml' flag enabled, the response to the browser was sent with the 'Content-type' header set to 'test/html'. This caused text to be misinterpreted as html markup. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-212 Summary Format string injection vulnerability in cgiemail. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Description The ability to supply arbitrary format strings to cgiemail and cgiecho allowed code execution whenever a user was able to provide a cgiemail template file. Format strings in cgiemail templates are now restricted to simple %s, %U and %H sequences. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-213 Summary WHM 'enqueue_transfer_item' API allowed resellers to queue non rearrange modules. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P) Description The 'enqueue_transfer_item' API allowed resellers with the 'rearrange-accts' ACL to add items from arbitrary Whostmgr::Transfers::Session modules. This could have potentially allowed for a reseller with the 'rearrange-accts' ACL to initiate a remote transfer or perform other restricted operations. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.4 11.60.0.35 11.58.0.43 11.56.0.43 SEC-214 Summary Open redirect vulnerability in cgiemail. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Description The cgiemail and cgiecho binaries served as an open redirect due to their handling of the "success" and "failure" parameters. These redirects are now limited to the domain that handled the request. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-215 Summary HTTP header injection vulnerability in cgiemail. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Description Case SEC-215: The handling of redirects in cgiemail and cgiecho did not protect against the injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 SEC-216 Summary Reflected XSS vulnerability in cgiemail addendum handling. Security Rating cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Description The "addendum" parameter was reflected without any escaping in success and error messages produced by cgiemail and cgiecho. This output is now html escaped. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.60.0.35 11.58.0.43 11.56.0.43 11.54.0.36 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJYfnN+AAoJEJUhvtyr2U3fnRkP/A0MMtcuNTQPUi5ebXomBEkx Dg9DNr1u+rW2XAnwPlg6I9s6xZ60IcfKwuErfA4NBUcji8hJqUR+1o7h9wIdZ7lC 7Tkzs9vJSX6IW5IA/hF+FBXYv4UmR7xzbS/RGLFY9zB7KduvF8/HO+VC9QsrI403 Civ0QCJ5HaukE9b1wZS7U+fZGHdYkXZKT+DUdYV/hQNddxbrkzmtDs9AoPXqfMOB v5xQIzkJdKEydZ/WsXV/6924OLSF2mp+247/E1DRCrIluRE+UXmKttT8Y07xnMpG R7AB0yk3IgwNiqOH4qpreU/kvPSWDINONq2uKsuFIb6szSJtdLqN/uPNy7YCVrKg Q08aM9o2dDUjz6GQIsiTclRdVZ+hWHBYq2PgQn2ZRDxYVuTEZ3TuhHhc3tDfrMF4 bp4f1qWyo4fpuhsIFZqa9llqtVySJZBbh7z1SuE+aEmLG2iCgkRa/yFqt4z0vehq LaFWIucwJSiK34YJB7Dg53iY5ipdVfQgAI8VjVwwxu1ehP58lEKxDilso4tipohW 2Tj6Mt8BzqfvoO+mTB/YoUvue/awgo6uew6mUuQQRtPSGRtuWZbADodjKWfdtrjQ F3z6gBPZLPh2q8Ml/GPMfcwRlaZuJxrFxDS8ceYONxNjCHNmzSANGGh62ktE1zRn KayRtoL1Rjtx9CGM+rRe =nM0q -----END PGP SIGNATURE-----