-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2017-0005 Full Disclosure SEC-276 Summary SQL injection in eximstats processing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Description When processing eximstats updates in buffered mode, errors in the SQL operations cause the updates to be reprocessed one statement at a time. The logic used to split multiple SQL statements back into individaul SQL statements was faulty. This resulted in data being processed as SQL commands. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 SEC-279 Summary SSL hostname verification for support agreement download not enforced. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Description There was no hostname verification for the support agreement download when creating a support ticket through WHM. This allowed for a user to be subject to a MITM attack. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 SEC-282 Summary Stored XSS Vulnerability in WHM MySQL Password Change Interfaces. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description When changing the MySQL password for the root user, various scripts are called to update subsystems that rely on this password. One of these scripts updates the Roundcube databases and outputs a list of virtual email accounts. This list was not adequately encoded before displaying to the user and allowed an attacker to inject arbitrary code on the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 SEC-283 Summary cPanel backup interface could return a backup with all MySQL databases. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Description With specific database names it was possible for a backup returned by getsqlbackup to contain all MySQL databases on the server, including databases the user did not own. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 SEC-284 Summary User account backups could contain all MySQL databases on the server. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Description With specific database names it was possible for an account backup to contain all MySQL databases on the server, including databases the user did not own. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 SEC-285 Summary Addon domain conversion can copy all MySQL databases to the new account. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Description It was possible for a reseller account to preform an addon domain conversion and the resulting account would be given a copy of every MySQL table on the server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 SEC-296 Summary Account rename can result in Apache logfiles becoming world-readable. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Description When modifying the account's main domain name, there was a small interval between when the Apache log files are renamed, and when httpd restarts. During this interval, if the site is accessed, Apache would create the logs as world-readable. This allowed for a leak of potentially sensitive data. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 SEC-299 Summary Backup system overwrites root's home directory when mount disappears. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Description When performing an account backup, the backup script will chdir() to the backup directory. If a file system failure is occurring when this chdir() is made, it is possible for the directory to be changed to root's home directory. This can allow for files within this directory to be overwritten. Credits This issue was discovered by NameCheap, Inc.. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 SEC-300 Summary Open redirect in /unprotected/redirect.html. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N Description The goto_uri parameter of /unprotected/redirect.html could be used as an open redirect to a potentially harmful domain. Credits This issue was discovered by Fredrik Almroth. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 SEC-302 Summary Code execution as mailman user due to faulty environmental variable filtering. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description The blacklist environmental variable filtering in Mailman allowed variables that could influence the operation of the Python interpreter. On cPanel & WHM systems, this faulty filtering allowed local users to run arbitrary code as the shared mailman user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 SEC-303 Summary Arbitrary file overwrite via Roundcube SQLite schema update. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N Description During Roundcube SQLite schema updates, the SQLite database files were opened by root inside the user's home directory. This could allow for arbitrary files to be created or overwritten on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 66.0.23 64.0.40 62.0.30 60.0.48 56.0.52 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJZwWj4AAoJEJUhvtyr2U3fG7MP/0g2Zj12lX0mN0LNbftIZD1F 9p9bunR3N3M9ygQu3/dk7ryFJS3LgZuKFSIVrcrEkNfs/6DlMBI/fvVcUhcK88VF HclZ2/VNA1RyyzTPjYGNuHjJ0JRp9HqoMoyj+1IAD/swIoW0zxMNh1zEMlqHv5qn UQTF+gGs4ZuMI6r8cqlMZGcDP5Fa43mzc+ydW4U51/ASIur7uQLvFnwAkWcghwN6 +9bF2exF4t2VHgGzQU/J7+7kH0RARb7mERfEtSp/Q8TZIsVINtuAdcf2ifrG36DA f7q5kvk+5xqFRv4NMokZxcFyJeyTHacF9dpLDy1XoMptB5iMhSgq/rJuhqKIEfX7 dgE4D0uYizkRhR23V5BSdRxertIZMQHEXKWIheSmPvE4nK7LFc7dKSGdWSlP2pyI rfmC2CFP+DfF96hwnasoLJX0tNGmet5yb5jr/vIKttDR0EJ/eu7XeR3hNZ1M4L6b cygrP9EG+BuPvSzjlLHFsnwkLm4XTbnTbj7eLGhsjlOorXvaJISXo1OgndMLpNb2 xcccn/L77rqij5nMxZjhOekKp0vHR64whE4cPYJedBarIop50AmvNcbxoBkGY80u 07csh9Y+kA6jYBspw0cqY+FDDB7xTPXP2UXH9GKQXCZze0OGyVBPVqLhfVUBeyLN sDQ40ZHwjpq/wc3sFg7j =IC6u -----END PGP SIGNATURE-----