-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2018-0004 Full Disclosure SEC-367 Summary Stored-XSS in WHM File Restoration interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description Filenames containing AngularJS markup were interpolated into angular-growl format strings. These format strings were then interpolated a second time before being used in growl notifications. This allowed cPanel users to insert XSS payloads into the WHM File Restoration interface. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-416 Summary Apache configuration injection due to document root variable interpolation. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N Description Subdomain document root paths were allowed with Apache variable interpolation syntax. Under some conditions, malicious cPanel users could misuse this behavior to inject arbitrary Apache directives into the web server's configuration. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-418 Summary Insecure storage of phpMyAdmin session files. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L Description Due to a misconfiguration of phpMyAdmin's php.ini file, the /tmp directory was used for session files storage. Local attackers could misuse this behavior to execute arbitrary code as the shared cpanelphpmyadmin user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-420 Summary SQL injection during database backups. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Description The cPanel backup process creates temporary data as part of backing up a database. The format of this data was vulnerable to manipulation by the backed up database names. This allowed an attacker to execute arbitrary SQL commands with the root account's MySQL permissions. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-424 Summary File modification as root via faulty HTTP authentication. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N Description When logging in via HTTP Basic Authentication, the REMOTE_USER environment variable is set from the username. By inserting null characters into the username, it was possible to truncate the environment variable when it is passed to subprocesses. This allowed local attackers to modify files as the root user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-425 Summary Limited file read via password file caching. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N Description When logging in as a webmail user, cpsrvd reads the password and cache files located in the user’s home directory as root. It was possible to cause this to read arbitrary files on the system and write back a limited amount of data to theuser’s home directory. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-426 Summary Arbitrary zonefile modifications allowed during record edits. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description The types of DNS zone records that a cPanel user may add, delete, or edit are limited by the feature settings for the account. During zonefile edits, the new type of an edited record was not validated as a permitted record type for the user. This allowed cPanel users with the "changemx", "simplezoneedit", or "zoneedit" features to make arbitrary changes to zone files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-436 Summary Arbitrary file read during File Restoration. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.9 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N Description When using the "File Restoration" feature on an incremental backup, it incorrectly translated tar escape sequences in filenames. This allowed an attacker to read arbitrary files on the system as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-439 Summary Arbitrary zonefile modifications due to faulty CAA record handling. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description cPanel accounts with the "zoneedit" feature are allowed to create and modify CAA DNS records. The validator for new CAA records allowed several types of injections that would split a single CAA record entry into multiple DNS records witharbitrary content. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-442 Summary File rename vulnerability during account renames. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N Description While renaming cPanel accounts, the security policy data files stored in the user's home directory were renamed with root permissions. This allowed malicious resellers with the Account Modification privilege to rename arbitrary files on the system. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 72.0.10 70.0.53 SEC-443 Summary Website contents accessible to local attackers through git repos. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Description The Git Version Control functionality in cPanel relied on the git binary to create the directories for git repos. The git binary created these directories with very open (0755) permissions, allowing other accounts on the system to examine the contents of the files in the repo. This functionality has been changed to create repo directories with 0700 permissions if the directory does not already exist. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 72.0.10 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAltOQWQUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8l/xAArXuFbGx+PCptM9ncHUaUfbN9pQwo HIq5ddo8vJeqzWPONW3mqcHlNplGId2FGM33+5XeOSna00nginXibv5uHF1DDaKF Q5SPiDIax3qiixI3ds4FXdXK1DWfPc93TgUgBy6nDjDYRsWR/bkZdc8pTfsM9fU/ tO469aTHJ2SNaX6SaBcf3oZel4mt6QcT1Wn7Qeu/mda2QK7WLFznx8O01RyWjFEN Qm6l3ari+mVLnsmic+EWAelCDfRX7xCZxdQ2oP6TQX3pmLcf+2NqH6ltYGWkNbZV CdEJDUoniAYX5fWzOWIDNiiAvg65ebwAOdNLLDKsK2BUbUdasbipRJ+SZE+53fB/ B0xVRXQqanfLuqFBstShuiVnGeu3MQ29ciu2Em1jZI7calIjVhXALEWrVpHaKzoT CdeVVwhvEiuhWCbnIbaknoZv16qiAw9Sb6uwGMv4H5je47uA97WvhT/wFVzhmPxQ JR3KGO09ccckyg7WTeOhGrywxhEH6AFOw9ZMCyr1nplMS+Rk3VhfR/S/JJcGnZNq QacOoDEWH2pr+TC8+jwG32aLVQbCwMij+LUGl3sdiE245vA8t+5Hf2H4Vu7OpcV+ bb2ZvPV5nnWnEjiEWxqXTtG/pFH4IbTSeU7SwsJt6sCNXbyv+PuWJaO65Wt4sRKb fUjwe2UJfmtPv6E= =DgN+ -----END PGP SIGNATURE-----