-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2018-0002 Full Disclosure SEC-338 Summary Arbitrary file chmod during legacy incremental backups. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N Description It was possible for a user to prepare their home directory in a way that after a series of incremental backups they could chmod arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-357 Summary Self-XSS in WHM cPAddons showsecurity Interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The addon parameter to the cPAddons showsecurity interface is not adequately encoded when included in the final rendered page. This allowed for arbitrary scripts to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 SEC-359 Summary Code execution via '.' in @INC during perl syntax check of cpaddonsup. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H Description The syntax check performed during /scripts/cpaddonsup did not use the fully qualified path to the cPanel distributed perl interpreter. This could allow an attacker to execute arbitrary code if root executed this script in a user controlled directory. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-362 Summary Demo account code execution via awstats. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The awstats application can be abused to execute arbitrary code on the server. This can be used by demo accounts to execute arbitrary code. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-364 Summary Root accesshash revealed by WHM /cgi/trustclustermaster.cgi. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N Description A logic error in /cgi/trustclustermaster.cgi potentially exposed root's accesshash when executed by a reseller with the DNS Clustering ACL. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-368 Summary OpenID providers can inject arbitrary data into cPanel session files. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N Description cPanel session files are not capable of handling values including newlines. When linking accounts, OpenID Connect provider data is directly passed from the remote provider into the session. If this data includes a newline, it is possible to corrupt the session, allowing login to non-linked accounts. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-369 Summary Stored XSS in WHM Edit DNS Zone. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description When saving a modified DNS zone, the MX records are parsed in order to reconfigure mail routing. This parsing process is not correct and processes non-MX records by mistake. This in combination with insufficient encoding of output error messages allowed for an attacker to inject arbitrary code into the rendered page when a DNS zone is saved. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-370 Summary Stored XSS in WHM Edit MX Entry. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description When saving a modified MX record, the MX records are parsed in order to reconfigure mail routing. This parsing process is not correct and processes non-MX records by mistake. This in combination with insufficient encoding of output error messages allowed for an attacker to inject arbitrary code into the rendered page when a MX record is saved. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-372 Summary Remote Stored XSS in WHM DNS Cluster. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When viewing the list of currently configured DNS Cluster server members, the server version did not perform context appropriate escaping. This could allow an attacker to execute arbitrary code in the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-373 Summary Remote Stored XSS in WHM Create Account. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When creating an account while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-374 Summary Remote Stored XSS in WHM Edit DNS Zone. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When editing DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-375 Summary Remote Stored XSS in WHM Delete a DNS Zone. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When deleting DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-376 Summary Remote Stored XSS in WHM DNS Cleanup. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When cleaning up DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-377 Summary Remote Stored XSS in WHM Synchronize DNS Records. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When syncing DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-378 Summary Arbitrary file read and unlink via WHM style uploads. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.6 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N Description A logic error in the handling of file uploads allowed attackers with the "manage-styles" ACL to read or unlink any file on the server with root's effective permissions. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-379 Summary Local privilege escalation via WHM Legacy Language File Upload interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Description A logic error in the handling of file uploads allowed attackers with the "locale-edit" ACL to read, write and chmod files with root's effective permissions. A local attacker could misuse this behavior to run arbitrary code at the root user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-380 Summary Local privilege escalation via WHM Locale XML Upload interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Description A logic error in the handling of file uploads allowed attackers with the "locale-edit" ACL to read, write and chmod files with root's effective permissions. A local attacker could misuse this behavior to run arbitrary code at the root user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-382 Summary Jailshell breakout via incorrect crontab parsing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Description There was a mismatch between what the crontab daemon considers whitespace versus the validation applied against new cron entries. This allowed for an attacker to set entries to be run by an arbitrary shell resulting in escape from jailshell. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-391 Summary Remote Stored XSS in cpaddons vendor interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When adding a 3rd party vendor to the cpaddons interface, the output was not properly escaped. This allowed remotely stored malicious files to execute arbitrary code in the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-392 Summary Open redirect via /unprotected/redirect.html endpoint. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Description The redirect script present at /unprotected/redirect.html does not adequately validate the redirect path parameter. This allowed for a redirect to arbitrary URLs. Credits This issue was discovered by Georgi Vasilev of siteground.com. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-401 Summary Htaccess restrictions bypass when "Htaccess Optimization" enabled. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Description The "Htaccess Optimization" functionality introduced in cPanel & WHM version 66 allowed the bypassing of account suspensions and .htaccess based access controls with some configurations. This funtionality has been disabled and will be replaced with an alternative optimization method in a future update. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 SEC-405 Summary Demo account code execution via cPanel Landing Page. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The app_name parameter used in the cPanel Landing Page template could be abused to additionally process a template controlled by a cPanel user. This can be used by demo accounts to execute arbitrary code. Credits This issue was discovered by Fabian Patrik of websafe.hu. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-406 Summary Apache logs exposed by creation of certain domains. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Description A reseller could create a domain that would use and change ownership of already existing domain log files. These domains use the ".localhost" TLD. It is no longer possible to create a domain with the aforementioned TLD. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-410 Summary Stored XSS in WHM Edit DNS Zone. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description When editing a DNS zone, error messages for a zone that can not be parsed correctly are returned to the user. These error messages are not sufficiently encoded. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-411 Summary Email account suspensions can be applied to unowned accounts. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Description It was possible for a user to suspend or unsuspend email accounts they did not own by taking advantage of email account names that contained newlines. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-412 Summary Stored XSS in WHM Reset a DNS Zone. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description When resetting a DNS zone, error messages for a zone that can not be parsed correctly are returned to the user. These error messages are not sufficiently encoded. This allowed arbitrary code to be injected into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 62.0.42 SEC-371 Summary Any user is able to shut down Solr. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Description The solr daemon stop key is passed to the daemon on the command line when it is started. This value is visible in the process listing when the daemon is running. Other users are able to see this, allowing a potential attacker to shutdown the daemon at any time. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.23 68.0.33 -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAlqvyYcUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd/1GxAAnZKP0fz9yBh7r2egRf4tZeZI3Qn/ kKo5XlHnzHlBNaEPc0KROM4U7Yw3GZXZkPEgZlyiwrkRIcdcrTZ5F5GoWX92prEv cMPlohjOyXvLQISFc/VOSEW51EEQmW17++tqNkdHNswgN+g3CFWVLclgTElDKIYe xnTVQKcJAxdagXwJNOAlpSJx18Qt2Pn4FpeRvqx5vul1VWx6KzGT0RKgM/ZbsblJ Sla3OIZKb7niWDWC8H2XyWpTIrUyIcWjVNPF37EniGdPjnuMtkbNaAkNfKkTQMTT Bc5E2e0KhfjDGqHki+jm42Mr9j1RuRUMkLqg7GcOHapY60lc8EFYJ9V7rTj1yxOr Xh1wJK4RNgRo3tdzmol7XIzSuUKZJU1lZ+ctABW0xlx4deG9yN2/tlV6aJnNNCj4 myOnurJtRhBPTqQHs+eTz7xuvSebn4QWOs/7eQOh03gfpEOy0bmdRi2zavIqzIAV V5uT8JmobCIKf58H0haKk/bk+Fal/vh/pZ6N4KQSjEIRogpMFfqi3bJmviWYCIvL qDed5wDn5iloepUoP+ZW25qUx/POloi7wwWUNOj5vrk6DFE4rdGc0349VvKdNobU p0dCtowGwfVxvy7jh5bgrH5i4of8bhilU9a/nKoZfj7bwBk1fnM0ssTLKNvMvDTT OIa6V7Rn6d/vgzc= =VgWj -----END PGP SIGNATURE-----