-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2017-0004 Full Disclosure SEC-263 Summary Stored XSS during WHM cPAddons install. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description It was possible for an attacker to actively inject HTML into the WHM cPAddons screen during a moderated install. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-264 Summary Stored XSS during WHM cPAddons upgrades. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description While performing cPAddon upgrades in WHM, output from the upgrade script was displayed without HTML escaping. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 62.0.27 60.0.45 58.0.52 56.0.51 SEC-265 Summary Stored XSS during WHM cPAddons file operations. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description It was possible for an attacker to actively inject HTML into the WHM cPAddons screen when the installation process did certain 'chmod' and 'chown' operations. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-266 Summary Stored XSS during WHM cPAddons uninstallation. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description While performing cPAddon uninstalls in WHM, output from the 'rm' command was displayed without HTML escaping. This could allow for arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-267 Summary Stored XSS during WHM cPAddons cron operations. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description During the WHM cPAddons install and uninstall processes, output from the 'crontab' command was not sufficiently HTML escaped. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 62.0.27 60.0.45 58.0.52 56.0.51 SEC-268 Summary Stored XSS during moderated WHM cPAddons installation. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description While performing cPAddon installs in WHM, output from the 'chgrp' command was displayed without HTML escaping. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 62.0.27 60.0.45 58.0.52 56.0.51 SEC-269 Summary Stored XSS in WHM cPAddons processing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description The cPAddons interfaces relied on a temporary file inside the user's home directory to buffer HTML output. When a reseller made cPAddons changes inside of the WHM interfaces for the user, this allowed the injection of HTML into the interface. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-271 Summary Demo accounts allowed to create databases and users. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Description The mysql adminbin allowed demo accounts to create and delete databases and users. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 SEC-272 Summary EasyApache 4 conversion sets loose domlog ownership and permissions. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Description The conversion from EasyApache 3 to EasyApache 4 does not move virtualhost domlogs from the old location to the new location. This results in the logs being recreated by Apache with default world-readable permissions. The conversion script will now create the log files as necessary to ensure correct permissions and ownership are maintained. Credits This issue was discovered by Alex Kwiecinski. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-273 Summary Domain log files become readable after log processing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description When Apache was configured with piped-logging and the domain log files were processed by cpanellogd, the logfiles would be left with world-readable permissions. Credits This issue was discovered by Alex Kwiecinski. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-274 Summary Apache configuration file changed to world-readable when rebuilt. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description Changes to the Cpanel::AdvConfig module resulted in all AdvConfig managed subsystems getting world-readable configuration files when they were rebuilt. Cpanel::AdvConfig now defaults to the existing file permissions whenever the optional _target_conf_perms argument is not supplied. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 SEC-280 Summary The cpdavd_error_log can be created with insecure permissions. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Description If the cpdavd_error_log file is missing when cpdavd starts, then it is possible for it to be created with world-readable permissions. It is possible for sensitive data to be contained within this log. The permissions on this file are now reduced. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-288 Summary Resellers can read other accounts domain log files. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N Description Under certain situations domain log files are backed up with the file extensions ".bkup", ".bkup2" and ".offset". A reseller could create a domain with those extensions as a top level domain and gain access to read other user's domain log files. The aforementioned top level domains are no longer allowed during account creation. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-289 Summary Insecure log file permissions after account modification. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Description When changing the main domain name of the account, the log files for that domain were not renamed. This resulted in world-readable log files when Apache was restarted. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-290 Summary Apache domlogs become temporarily world-readable during log processing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Description During log processing, the Apache domain log files were moved out of their normal location. This created a race condition where any restart of Apache would log to the normal log file location with insecure permissions. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-291 Summary Apache SSL domain logs left behind after account termination. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Description The Apache logs for an account's SSL domain and subdomains were left behind by the account termination process. Resellers could recreate the deleted domains to gain access to the log data. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-294 Summary Corrupted user and group ownership when using 'reassign_post_terminate_cruft'. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L Description Under very specific file tree structures, it was possible for the script 'reassign_post_terminate_cruft' to corrupt the user and group ownership of symlinks. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 SEC-297 Summary Self XSS Vulnerability in WHM Upload Locale interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When uploading a locale file in the WHM Upload Locale interface, page output containing the uploaded file name was not adequately escaped. This could allow for arbitrary code to be injected into the rendered page. Credits This issue was discovered by Vahagn Vardanyan. Solution This issue is resolved in the following builds: 66.0.2 64.0.33 62.0.27 60.0.45 58.0.52 56.0.51 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJZbmCgAAoJEJUhvtyr2U3fPx0P/R6+YB0CkuQ5T1Fn8QZXEPRX J7b67/El10EhorNNBsBGcPLS53PiiRBgrtBioVgoZUyytz5eF50ave2fSj8ljVuk BWKeQT8tf+ZPUxia2JMzOiZiuqfg6Y0nW6NGgmo8t+BETJxJQAY/5vZHMyruo7bn NVQBC/F+N1wBbksAYF19nlTF1LQhkzCq2NMrdOZFJP0xgjBIfuXxxrUozPG3AXYH iU98SrG0BWwu7kDsxlX2beKL6McVQiFsUvpCipk14zOD/l1i8wJDvA3vXrcTTlL8 8+1v1wFsYfqILFgbeYig2apenqwqQOIr7Ejo8l5oz2K8BsH9WPxgbsNlvk2hBW86 s6DzrBAAlG9PjcenApjM5aNC2nZyZrHqL03dH6aZ8dnmcT9WzwVGf4HZdXK5YqUU v/kVSvscbctUkoTXxCTOwgMVcBaQIHHv/Zgvnd27aNooyV0QHdrtwvCKze/aRnCW uMGvlt4lL56SGJJOvZTM6RbTgU3HSWPLlaWsqaeZeor0e/OcQhgpLRRZankCfKq+ V8fi+HginvIh3amUlvA7UC8cT4isjqjRW7t9fE78lth8DCcXQucAZTb0oJxpbT+K ijFiHH1OlieDy1pQ2BHGpYF0btiu6FJQfS7Bx/aRI0FGltXXONyUq3dqmpO3QGWZ 4wGXIrOPYz7BLuAzexIr =dx/i -----END PGP SIGNATURE-----