-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2018-0001 Full Disclosure SEC-308 Summary SRS secret revealed in exim.conf. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Description When the experimental SRS option for Exim was enabled, the secret key used to sign SRS email was visible inside the exim.conf file. This setting is now stored in a separate file that is not world-readable. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-321 Summary Database and dbuser names were not validated during renames. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description When renaming a database or database user via either the MySQL or PostgreSQL adminbins, the new name was not verified to meet cPanel's naming requirements. This allowed an attacker to create databases or database users with reserved or invalid names. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-324 Summary Ownership not enforced by addpkgext and delpkgext WHM API calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N Description The "addpkgext" and "delpkgext" WHM API calls did not restrict modifications to packages and accounts that the reseller was authorized to change. These API calls now restrict modifications based on package and account ownership if the reseller does not have the "all" ACL. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 68.0.27 SEC-339 Summary Backups revealed contents of directories that the user did not own. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N Description During a backup it was possible to lead the process into directories that the user did not own. The file and directory paths would then be saved to a file that was readable by the user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-342 Summary Root's crontab briefly world-readable when enabling backups. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Description When enabling backups, it is sometimes necessary to add new entries to root's crontab. To perform this change, a temporary file was created with a predictable name and world-readable permissions. This allowed the crontab to be read by normal users during this action. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-349 Summary Arbitrary file read via restore adminbin. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Description Race conditions in the RESTOREFILE functionality of the restore adminbin could be misused by local attackers to read any files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 68.0.27 SEC-351 Summary Root's crontab briefly world-readable during crontab configuration. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Description When saving changes to root's crontab through the "Configure cPanel Cron Jobs" interface in WHM, a temporary file containing root's crontab was created with world-readable permissions. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-352 Summary Root's crontab briefly world-readable during post update tasks. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description During cPanel updates, root's crontab was exposed in a world-readable temporary file by the post install task to update cPAddons. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-353 Summary World-readable copy of httpd.conf created during syntax test. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Description During httpd.conf updates on systems using EasyApache4, a copy of the httpd.conf file was created with world-readable permissions. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-354 Summary Insecure file operations in bin/csvprocess. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N Description The csvprocess script performed file operations on predictably named files in the current working directory. If this script was run by the root user in a user-controlled directory, it was possible for an attacker to cause root owned files to be overwritten. This script has been removed and its functionality moved into the API call that previously utilized this script. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-355 Summary World-readable archive created by archive_sync_zones script. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Description When scripts/archive_sync_zones generated a backup file, the resulting archive was created with world-readable permissions. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-356 Summary Limited arbitrary file write via telnetcrt script. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N Description The telnetcrt script attempted to change directory to a safe location to write temporary files without verifying the directory existed or that the change of directory was successful. If this script was run manually in a world-writable directory, a local attacker could symlink the temporary filenames to unsafe locations. This script is no longer used by cPanel and has been removed. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-383 Summary Self-XSS in cPanel Backup Restoration. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When rendering the list of files that are restored from a partial backup, appropriate HTML escaping was not performed. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by Fabian Patrik. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-385 Summary Self-XSS in WHM Apache Configuration Include Editor. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When rendering invalid syntax after saving new Apache includes, the context appropriate escaping was not performed. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by Fabian Patrik. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-386 Summary Self-Stored-XSS in WHM Account Transfer. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description Account usernames were not properly HTML escaped in the transfer log header when using the Remote User Account Transfer interface in WHM. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by Fabian Patrik. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-387 Summary Self-XSS in WHM Spamd Startup Config. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When saving spamd directives in WHM Spamd Startup Config, invalid configuration values were displayed without appropriate HTML escaping. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by Fabian Patrik. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-388 Summary World-readable files created when using WHM Apache Includes Editor. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Description When modifying the Apache Includes via the WHM Apache Includes Editor, the new configuration is created with world-readable permissions. This allowed for this configuration to be viewed by non-privileged users. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 SEC-389 Summary Self-XSS in WHM listips interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The WHM /scripts2/listips interface did not escape user input and backend error messages when displaying javascript notices. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 68.0.27 66.0.35 62.0.39 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAlpnd5EUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd+6phAAh4czVM0IDqYjEp4UqdTlWBdzm0tu fMJN2U2aVNlUeydnAy8kdSShbfefSn1PyO6vAoNzx3RF2kDD3hzYHhy8SPGWJwoG ggZKk545u9thG0QD/pC0RpUIlL1MNaYda3a+EyD3d4Mk8Uznvz/W9Zm6LGlhWmOR MfwkUEdXEWa98B3em/79erIgO+RCR9zv+zb3edk6e4TftkWhtUsY8xkaJWA85jsi l3Fyk8+l7sp/fYIZRQbeQRMLFTF6XZJH1FTEGFq4tQsZnmi88WKaFvpdgdMuUXs1 TfHneEyyRQ8EhCmRLZUW2ON+eTQyHOPTzw6a08FBSINuKN55HUIqOdqkKrVMk9cL PDDb8Gpyw/A/Hatmo+RrKPzd5QtUhXVb5kXzaiypFrc+D9W0o1aUDzMsa0iv4zwV IKXqfCnwLEtzn5NoWo6pBR3EAhxoUSRcp5+EOAvOUxUFmtDCg93SfaArelrik8/+ pmdaHnj9lE/ZfSQXK5XHBcU/EgFhsRXhpR8jppOdZPJw6XToLI97Zt03wdv0D5By vXG2nmAm+jNE2tETWkDEH8pPPpg/VNj24G/ZCdxbWe50K1ZrIoS9uo4W4xFQL2vG Ng0neZ5j8TW7ssmayb/5485qfaTqH1NWIL1sBrCRvJtr4BmEJjaSFeSBoT0JdiFB ic9w7Veg9FrlmcM= =bXEe -----END PGP SIGNATURE-----