-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2017-0003 Full Disclosure SEC-234 Summary Horde MySQL to SQLite conversion can leak database password. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Description If the Horde MySQL to SQLite conversion script requires a password reset on the MySQL database, the new password was passed to the reset script as a command line argument. This password was visible to possible attackers in a `ps` process listing. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-236 Summary Code execution for webmail and demo accounts with the store_filter API call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Description Webmail and demo accounts are normally not allowed to perform code execution on a system. It was possible to circumvent this protection using the store_filter API call. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-237 Summary Code execution as root via SET_VHOST_LANG_PACKAGE multilang adminbin call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description The SET_VHOST_LANG_PACKAGE command of the multilang adminbin did not adequately validate the package parameter passed to it. An attacker could pass in an arbitrary PHP package value, which allowed for arbitrary code to run as the root user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-238 Summary Demo account code execution with BoxTrapper API. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Description It was possible to use the BoxTrapper API as a demo user to upload files and execute them. The BoxTrapper API now forbids use by demo users. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-239 Summary Demo account file read vulnerability in Fileman::getfileactions API2 call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.5 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description The Fileman::getfileactions API2 call allowed demo accounts users to read the contents of arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-240 Summary Webmail account arbitrary code execution via forwarders. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Description The cPanel API calls that allow modification of an account's email forwarding settings did not properly sanitize the forwarding options that were provided. This allowed webmail accounts to inject shell commands into the forwarding system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-241 Summary Webmail arbitrary file write with addforward API call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Description A webmail user could use the addforward API1 call to setup an email forwarder to a file. This would allow the webmail user to write to any file location owned by the cPanel account. Now, webmail users can only add forwarders to valid email addresses. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 56.0.49 SEC-242 Summary Demo account code execution through Encoding API calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The Encoding API calls relied on the guess_file_encoding script to determine the character encoding of the specified file. This script was vulnerable to XML External Entity attacks that could be escalated to full code execution with some inputs. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-243 Summary Demo account code execution via ImageManager_dimensions API call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The ImageManager_dimensions API call invokes the ImageMagick identify utility. Due to possible vulnerabilities within the ImageMagick utilities, this could have been used to execute arbitrary code under a demo account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-244 Summary Demo users have access to traceroute via api2. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description The traceroute api2 call was available to demo users, but the api1 traceroute call was blocked for those same users. Now, both api1 and api2 calls function in similar ways and block execution by demo users. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-245 Summary Demo accounts able to redirect web traffic. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Description The API1 commands to redirect the website traffic to parked domains were not implementing Demo mode restrictions correctly. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-246 Summary Cpanel::SPFUI API commands are available to demo accounts. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Description The Cpanel::SPFUI API commands are available to demo accounts. It was possible to use these API commands to change the SPF records for a demo domain. This allowed an attacker to send email for the domain on an external system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-247 Summary Demo and suspended accounts allowed to port-forward via SSH. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Description The shell configuration for Demo and Suspended accounts allowed traffic to forward through SSH. This has been addressed by adding these accounts to the "cpanelsuspended" and "cpaneldemo" groups, and explicitly blocking these groups in the sshd_config file. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-248 Summary Cpanel SSH API commands are allowed for Demo accounts. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Description The Cpanel SSH API commands are allowed for demo accounts. This allowed for demo users to generate, upload, and authorize SSH keys. This also allowed for changes to be made to the filesystem and could enable further attacks. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-249 Summary Demo restrictions not enforced in SSL API calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description The cPanel API1, API2 and UAPI calls for SSL operations in cPanel did not enforce demo mode restrictions correctly. This allowed demo accounts to modify the demo domain's SSL configuration. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-250 Summary File read and write for demo accounts in SourceIPCheck API. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Description It was possible to use the SourceIPCheck API calls to read and write to files that the targeted demo account could access. Now, most SourceIPCheck API calls are no longer available to demo users. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-251 Summary Code execution for Demo accounts via ClamScanner_getsocket API. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The ClamScanner_getsocket API command takes the location of the clamd binary as an argument. This is used as part of a shell command to find the current clamd socket file. It was possible to inject arbitrary shell commands into this argument, allowing for arbitrary code execution under Demo accounts. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-252 Summary Limited file read via Serverinfo_manpage API call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Description The Serverinfo_manpage API call accepts a parameter to select the displayed manpage. This parameter is vulnerable to a path traversal attack. This potentially allowed for an attacker to read some files on the calling account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-254 Summary Limited file rename as root via scripts/convert_roundcube_mysql2sqlite. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Description The scripts/convert_roundcube_mysql2sqlite script calls out to shell commands via the system() function while in a reduced privileges state. If a user's email virtual name contained special characters, the command would be invoked via the system shell. This would restore root privileges and invoke the command as root. This allowed for an attacker to rename files and/or copy them into a user accessible location. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-255 Summary Limited file chmod in /scripts/convert_roundcube_mysql2sqlite. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.5 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Description During the Roundcube SQLite conversion process, it was possible to chmod a limited set of files with elevated privileges by taking advantage of a race condition. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-257 Summary User crontab publicly visible during cPAddon upgrades. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Description The functionality for adding and removing cron jobs for cPAddons, exposed the user's crontab by placing a copy in the user's public Apache docroot. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-259 Summary Code execution via Rails configuration files. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Description The Ruby on Rails settings for an account were stored in the account's userdata directory in a way that would conflict with identically named domains. This could be abused to inject arbitrary configuration data into the Apache configuration file. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-260 Summary Supplemental groups lost during account renames. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N Description During account modifications, the supplemental groups a user belonged to were not updated to reflect a changed user name. This could potentially leak access to sensitive groups to subsequent accounts created with the same username. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 64.0.21 62.0.24 60.0.43 58.0.49 56.0.49 SEC-262 Summary Stored XSS in WHM cPAddons install interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Description When installing a cPAddon, if the installation of the cron jobs failed, the interface did not HTML encode the resulting error message. This could allow for arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 62.0.24 60.0.43 58.0.49 56.0.49 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJZHKUJAAoJEJUhvtyr2U3fS6EP/3RLuT+RxTRfk29nOJqH72gs iii93I69kadTJxd1ArBmTWondBnBuuO33envLd/AHwCxvVnDOJ3NGxq6Z0bxPuPR pxTgMYEY/P5ZfspRgYEPFT6dNFdLXcNAMBvuBHQx+e12j0O9jsuuKsjd132F8bJx 3Xp+7fkVnYmyBkdHHBDTtQQRsNBhGx9sXW3wfxWQziG0X6t0fSktjWFwsJllXabR 2mM794JRzPXMp4y043qNECgfTyZmXCzTl7J0NWNCGRJVAUI3RdUjgZXvtN2AdlRw nZCbP9yXKx7ZndFuNi4MM+pLynJlH2RXiz9xGt0dF3cDsPLp5sWPM2q3ENGRtlJW tlBHT9k7P2ZyIJPZglfGNoY0rdaVu4nkkzKV2/nH+FsKLvPqon8UBgvfbQ6lBWDf qYM+RHGSQK41s+aN9xXBVjVnls5dWNNLZ9IJFe7fvqxP+rZXWL1C3VW65yOXy5wE UpAeJLnuiz2qvFkh4ilyDvR+0/U8AaF6KuJMfUCS60HD3KSjm27TWajJTF9UlSAK oM13grHMavjMqNxtBAIA798WLdsUDZH+SnYHs12wJ/gO4oqBALFipgKUkLezbmQj rPXKaHWvsuzgDRMuHXe+fK04mRn/OOTBMJ/7S0ww/2ACCAYAqDaRvf99QiMNY6n2 b+hcX2Gvfe7jgULpQAJo =LZQP -----END PGP SIGNATURE-----