-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2018-0005 Full Disclosure SEC-409 Summary ClamAV daemon can be shut off by any local user. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description The userspace socket file for the clamd daemon has open permissions for necessary communication with userspace scanning functionality in cPanel. However, this socket also accepts the SHUTDOWN command which allowed unprivileged users to shut down the ClamAV daemon. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-428 Summary Self-XSS in WHM 'Create a New Account' interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description Errors encountered in the zone template during account creation did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-433 Summary Self-XSS in WHM 'Security Questions' interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Description User supplied parameters for the WHM 'Security Questions' interface are displayed without context appropriate escaping. This allowed for an attacker to inject arbitrary code into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-434 Summary Self-XSS in cPanel 'Site Software Moderation' interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Description Certain user supplied parameters displayed as part of the cPanel 'Site Software Moderation' interface are displayed without context appropriate escaping. This allowed an attacker to inject arbitrary code into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-437 Summary Self-XSS in WHM 'Style Upload' interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Description When using the Customization interface in WHM, error messages displaying user-supplied input are rendered without context appropriate escaping. This allowed an attacker to inject arbitrary code into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-441 Summary Actively stored XSS in WHM 'File and Directory Restoration' interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description During file and directory restoration operations, a cPanel user was able to intercept json-api requests made by the WHM reseller and send back corrupted json-api responses. These corrupted API responses were displayed without appropriate escaping, allowing the cPanel user to insert HTML into the reseller's web interface. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-444 Summary Demo account code execution via Fileman::viewfile API. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description When calling the Fileman::viewfile API on an RPM file, the rpm utility is called to display information about the file. Arguments are passed incorrectly to the rpm utility. This allowed for a demo account user to run arbitrary code as the demo user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-445 Summary Invalid email_accounts.json prevents full account suspension. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description When a user's email_accounts.json file is corrupted, the suspend script generates an exception. This causes the script to fail before the full suspend process can be completed. A user could take advantage of this in order to prevent full suspension of their account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-446 Summary Self-Stored XSS on 'Security Questions' login page. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Description A reseller with 'all' privileges can set security questions and answers for verification when logins occur from an unrecognized IP address. These questions and answers are displayed without context appropriate escaping, which allowed an attacker to inject arbitrary code into the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-447 Summary Arbitrary file write as root in WHM 'Force Password Change'. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H Description A recent refactoring in the WHM 'Force Password Change' subsystem caused a user-controlled file to be written to with root's effective permissions. This allowed an attacker to overwrite arbitrary files on the system. Credits This issue was discovered by rack911labs.com. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 SEC-449 Summary FTP access allowed during account suspension. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Description When the system was configured with ProFTPd as the FTP daemon, suspending a cPanel account did not disable FTP access for the account. Credits This issue was discovered by Harry Li from GoDaddy. Solution This issue is resolved in the following builds: 74.0.8 70.0.57 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAluhURAUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8Oew/+OJqphiinq+F1CuHpCXOTBuE5/Vn6 kZyKetj70tFDdMmzxswsY/uzVaYRb315SFS/lb+M2mYR4cAy5b2qjGBm4VG7G14G NsMynu3zdLAvlbLTI3ha29YrZ8Dro5jqfk1/Dw7K9Vxjf8Z3qjavfq5nitPDrNo7 FP6uXjjXqBP1g6bwUJhW0YUiYie5/OBqO1p4DqsjgU0pJvNNLKNfCYmMLYvEgyUG uxOTdDgA/6q1L49TwyL+bjU6+N8rr3Olls+Mu866RRZKCpqJvKnBVE+VorGTxXHK XbfjC9gD6t65vZqCB65HqLjEr0pCZMVN2B3j9wqR/8CHMHIu5XishlhAb+3LUCu+ RkRrx7u0zxAivjXdPVWUKQxWlX+h2zW/RjZCdN4SPuLa6dashO/T37aSUIGZk32P LRE2lQL4EGnJ75QQpMuBXbI780pU0QOJk2sCWqqafeyUsqAT0vm3u/Mh4ve1To8E rRmXyr67wX7Sfek89HE/4ch81zKp9AjDWyZcXS5keTGv0SGE0JIUnMvF4PPei5X1 5INxqhVot89whsX5QLvDSUy4ym5ZCkxdz6G7kojcWFa8EJRpA9NvIGHGluPE6g2R 5TkThN4pkuT0xIiQyLeGIAoZd/k8rWg8vzEMDfSRYjikdR4w1sPynyZtiTcbK41B XuKx16Pfqkvtttk= =4XVX -----END PGP SIGNATURE-----