-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2017-0002 Full Disclosure SEC-208 Summary Addon domain conversion did not require a package for resellers. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L Description Previously, when you converted an addon domain to a normal account, it was not required that a reseller specify a package for the account creation. This allowed the reseller to use the system's "default" package that has no account limits. Now, an addon domain conversion requires that a reseller have and specify a valid package for the account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-217 Summary Self XSS Vulnerability in WHM cPAddons 'showsecurity' interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When accessing the WHM cPAddons 'showsecurity' interface, the 'addon' parameter was not adequately escaped during page output. This could allow for arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-218 Summary Arbitrary file read via WHM /styled/ URLs. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Description WHM supports /styled/ URLs in order to allow for reseller interface customization and branding. It is possible for these URLs to load and display content from a reseller's home directory. These files were being loaded as the root user. This allowed for arbitrary files on the system to be read. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 SEC-219 Summary File overwrite when renaming an account. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.2 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N Description When renaming an account it was possible to manipulate the security policy directories within the user's home directory to overwrite certain files the user did not own. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-220 Summary Arbitrary code execution during account modification. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Description When the primary domain of an account was changed in WHM's "Modify an Account" interface, the .htaccess file in the account's docroot was updated. This .htaccess update process included a syntax test, where it was possible for the cPanel user to execute arbitrary code as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-221 Summary Arbitrary code execution during automatic SSL installation. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Description During Autossl installation for user-controlled domains, the .htaccess file in the domain's docroot was updated to bypass redirects that would interfere with the domain validation process. This .htaccess update process included a syntax test, where it was possible for the cPanel user to execute arbitrary code as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 SEC-223 Summary Security policy questions were not transfered during account rename. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Description If an account had security questions set up, and that account was renamed, the questions were not transferred to the renamed account correctly. This allowed an attacker to set up their own security questions by logging into the target account after an account rename was performed. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-224 Summary cPHulk one day ban bypass when IP based protection enabled. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Description It was possible under certain settings to never trigger a one day ban when IP-based protection was also enabled. Now, IP addresses are properly one day banned when the specified threshold is reached. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-225 Summary Code execution as root via overlong document root path settings. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Description By specifying a document root path which exceed Apache's maximum configuration line length limit, it was possible for this excessive data to be interpreted as a new configuration directive. This could allow for an attacker to run arbitrary code as the root user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-226 Summary Arbitrary file overwrite via WHM Zone Template editor. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N Description The WHM Zone Template editor interface did not properly validate the template filename when saving. This allowed resellers to overwrite arbitrary files on the system. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-227 Summary Expand list of reserved usernames. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N Description It was possible to create certain user accounts and then leverage the user's home directory to enable various exploits. These account names have been added to the reserved username list. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-228 Summary Adding parked domains to mail config did not respect domain ownership. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N Description It was possible for a reseller to add parked domains, that they did not own, to the Exim mail configuration. A reseller must now own the parked domain to perform any action on it. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-229 Summary URL filtering flaw allowed access to restricted resources. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description Due to faulty URL filtering, authenticated webmail accounts could access the PHPMyAdmin and PHPPGAdmin interfaces. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-232 Summary Demo code execution via Htaccess::setphppreference API. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The Htaccess::setphppreference API call was not restricted for demo accounts and accepted arbitrary data to be written into the account's .htaccess file. This could allow for an attacker to execute arbitrary codeunder the demo account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 SEC-233 Summary Arbitrary code execution for demo accounts via NVData_fetchinc API call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The NVData_fetchinc API call could accept an arbitrary filename to be included and processed by the cPanel engine. It was possible for an attacker to use this to execute arbitrary code under a demo account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.62.0.17 11.60.0.39 11.58.0.45 11.56.0.46 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJY0ZEFAAoJEJUhvtyr2U3fmEIP/1F6z17BmVV0jjKX2u4qNv55 3fH7O4RJ0V1uv78FfDjHGNrHx7OVvTmPaTRuLEIqoqQVU11fvIqt8YDQ6HiPLWu5 Fp0JiPJJCZmNeu4SZVx7jg7jyoEUJQbnvy1kBdY3vdETwxi7+yQ1wwYZeHOAfm4Z FpblgdJb60tm9ZMkPtQic8H8cf2zef2Eeo1zoI7gH5Q08RmL0jTZonpShlML+3JL xeu8Htw4ManCCihUK/wnpfwB6teVdR8pkBt5oQEjE/INrB4Wxy6bRJz9qMgT5cso sanxcWKkjcPLthy4iFLXOBtWm7/frtOvg15xTKQlA3niajb6DMS4rh52an9xRpWn EaRQcXCDxCgIEgDyryS+7cMua04SF+BGqU+5zbCZizYEkpMadE6/vBl3lhqy+s6W OgI7yESL7fkc5uZpn7ZqYU39L4OgxqpPYN6VoMiNwbP0H2TT0rKPlqx4HijCy7oe hyy+EGUXC4xqJy22jwJuvs/Y9iFhNrh4GlMCSzmA6Dnjk/WUPBFJpis5bdhYqiy3 fjFMdD03m+U7Gb8abROwyWlqs8kD13MRa0H+7waxfMeC9ja0cXuhrJQQgWsIg1zr lLEjNOWq16Q/8KEbhcMo6garC+DEMqjvMQDaZx9cXjocbQ/pWSwrtDdQFhuCjeR3 Orf3pWet2V5knvDg5u27 =d7ks -----END PGP SIGNATURE-----