-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2018-0003 Full Disclosure SEC-393 Summary API tokens retain ACLs that are removed from accounts. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Description Starting with cPanel & WHM version 68, it became possible to limit the authorizations of a WHM API token to a subset of the ACLs assigned to the reseller account. The logic that implemented this behavior did not restrict API tokens to the ACLs that were currently assigned to the reseller account. This allowed a reseller to retain access to an ACL after the ACL was removed from the reseller's account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 SEC-394 Summary Stored code execution injections in WHM cPAddons interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L Description The cpaddons_report.pl script escaped user provided data with incorrect escaping functions in several places. This allowed cPanel users to cause unintended actions when the server administrator clicked links in the WHM cPaddons interfaces. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-395 Summary Arbitrary file unlink via cPAddons moderation system. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N Description When the server administrator approves or denies a moderated cPAddons install, the moderation request file stored in the user's home directory is removed. The file removal was performed with root privileges and could be misused by a local attacker to delete arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-396 Summary Email injection in cPAddons moderation. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Description The cPAddons moderation script did not adequately validate email addresses provided by the user when handling cPAddons moderation requests. This allowed an attacker to inject arbitrary header data into the moderation response email. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-398 Summary Remote-Stored XSS in WHM cPAddons installation interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When installing a cPAddon in WHM the output was not properly escaped. This allowed an attacker to execute arbitrary code in the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-399 Summary Remote-stored XSS in YUM autorepair functionality. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The EasyApache 3 build process attempts an automatic repair of the system's YUM configuration if it appears broken. While downloading a replacement Yum repo file, error messages generated by the remote server were displayed to the user without context appropriate escaping. This allowed an attacker to insert arbitrary HTML into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-400 Summary Remote-Stored XSS in WHM Save Theme Interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description During the download of cPanel-provided themes it was possible for attacker to inject arbitrary HTML into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-408 Summary ClamAV installation reveals the contents of root's crontab. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Description When installing the ClamAV plugin, cron entries are added to root’s crontab to refresh the ClamAV virus database. This modification used a world-readable temporary file, allowing unprivileged users to read the contents of root’s crontab. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-421 Summary Self-XSS in WHM Backup Configuration interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The backup destination validation alerts did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 SEC-427 Summary Cron feature restriction not enforced for API calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description cPanel accounts without the "Cron" feature were allowed to view and manipulate cron by calling the Cron APIs and adminbins directly. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-429 Summary Backup feature restriction not enforced for API calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Description The "backupwizard" feature was removed from cPanel & WHM because it duplicated the role of the "backup" feature. When this feature was removed, the API calls that required either of the "backup" or "backupwizard" features became accessible to all users. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-430 Summary Images feature restriction not enforced for API calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description The "Images" feature that is used to control visibility of the "Images" icon in the cPanel interface was checked in an incorrect fashion by the API1 functions that perfom image modifications. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-432 Summary Cpanel Mime::list_hotlinks API feature restriction not enforced. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description The Mime::list_hotlinks API did not check the correct feature list item. This allowed users without the appropriate feature to access the API. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 SEC-435 Summary Arbitrary file read in pkgacct custom template handling. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Description It was possible to add arbitrary files, normally unreadable by unprivileged users, to a backup created by pkgacct by adding a custom Apache vhost template to unrelated files within the userdata directory. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 70.0.43 68.0.39 62.0.47 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAlsEYgYUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd9mcA//X2IJ+YgneE2mMQdwA+yEbfd4Xxg5 yZeBTbuSYrmaNRV3YfvFkX6MT8Le1CdWDc+z91a+CpuOqAt77BUbFsFXHQ6BlfG5 mbi8a7rC2FCKbiUp47RNZ+rzuJhA4AdrGGc5TBhv5dQG2/bOZJBLWTLzr7o9vaFY HAg3UaYFQmgQErRjhZ1Qps334uoajzQn1HkmbqnUmT65OaxVrKDsA9p7SamSPQMD f9VSVKqRIi4SLO8X06AaUDnc9X5bvWmFIzLQp9kjMPFB4Z+jI/SdFE7VDipO9yZD iDh9s2qCaFS63bznZrFLZqFwvGSHrCjwoPosu1pn9d/ArDOspCQTqos051gpB8No NXD0TFyPiqC2KckJSMaNAQwSum2rcK3lQyCDIF/t1sN6jlNv2CfqbJNPwye7z2t/ haMSeZvyse7LsXT2E6Sh4L1/ybEr9OBZfOABPc/fJ3qB35NM2tzvssNOfnMIoPn9 DJidImNmWXz/WGf7YIQ59E12r1Qc5ChLgxSjk5rOQFdfCnovDKrFF8XICCdOKvmD Ya9Hg0Zmrcu7v0qyZ1d+0ow7IEBqK/wsTjddJXdey/hwqB8kh+HxOGp2iPNvuUzL wnwXV11U8+nltbgjQmWgYEMXYz9JJDaDG5c3++ANrJrkInm3K3efGCo7k01vmJTC NHu2iikMVNogHAs= =fA3U -----END PGP SIGNATURE-----