-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2018-0006 Full Disclosure SEC-366 Summary PostgreSQL password changes performed in an insecure manner. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L Description When using the WHM 'Configure PostgreSQL' interface to change the primary PostgreSQL password, it was possible for unauthorized users to log into PostgreSQL and change the password to their own value, ignoring the password entered in WHM. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 SEC-452 Summary Unauthenticated remote code execution via mailing list attachments. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L Description In certain situations, it is possible for Mailman to preserve the extension of PHP script attachments. When attempting to view these attachments, the script can be executed, allowing for arbitrary code to be executed on the server by attackers who are able to send mail to the list. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 SEC-454 Summary Virtual FTP accounts remain after their domain is removed. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Description Virtual FTP accounts created by cPanel users are mapped to specific domains in the FTP password files. In some configurations, it was possible to authenticate as a virtual FTP account after the domain of the FTP account was removed from the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 SEC-459 Summary Self-XSS Vulnerability in WHM Additional Backup Destination. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description Errors from the backend APIs used by this interface did not apply context-appropriate encoding. Because of this it was possible for an attacker to inject arbitrary code into the rendered interface with a crafted error message. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 SEC-461 Summary Stored XSS in WHM 'Reset a DNS Zone'. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description When resetting a DNS zone, the new zone is displayed to the user without applying context-appropriate escapting. Because of this, an attacker was able to inject arbitrary code in the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 SEC-462 Summary Open redirect when resetting connections. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Description When cpsrvd determines that it is necessary to reset a HTTP connection, it sends a 307 or 308 redirect response to the client. The Location header specified in this response was not escaped correctly and could be used by an attacker as an open redirect. Credits This issue was discovered by Ian Dunn of Wordpress. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 SEC-464 Summary Stored XSS in WHM MultiPHP Manager interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The errors generated by the WHM MultiPHP Manager interface did not apply context-appropriate escaping. Because of this, it was possible for an attacker to generate an error message containing arbitrary code in the rendered page. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 SEC-465 Summary Arbitrary code execution as root via dnssec adminbin. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Description The dnssec adminbin did not adequately validate the nsec_config or algo_config parameters. By injecting malicious data into these parameters, it was possible for attacker to execute arbitrary code on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 SEC-467 Summary WebDAV backup transport writes debug files containing sensitive information. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Description The WebDAV backup transport module enabled debug logging in HTTP::DAV. This debug information was written to a hardcoded file in an unsafe location. This file contained sensitive information. This could allow an attacker access to the remote WebDAV server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 76.0.8 74.0.11 70.0.61 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAlv0XNwUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8tDQ//f06lNMxw+Z6etaqP+xiJxOqOQnVE OImSe5vpvgVBNbWlwpi4HR4YKZkFteCKazEVssqmROyB/8GG3PFh7JN8X/rBrkwR 164pXzx4ml0s/EuS3vPTAW2epJoovsD6ujFGXfo8792Qrj5AUolkxqExxF3szYpg wkBEoWM9Ifq0U8qzkioAnNtmB8KQrsfjRUWEa+X33ZzNaO8Bno4LjkeiYSlYygRd 3kdoKHUnqq/Z5JunPbimEFTLhEE+Hvyv5JqgBq312t7jxMV725f1lJMRBDXj1vKK J069JQE2IRRHFQuyCbUJKHhBViqfGaK79HZhUIP/q6UTvnEfiujmq3Y5hiTEQlW0 NBHeQPtx9sJ55U54QKD24BPd/Mc/6haDLR/URwO09OX/L3LncO3tE/7PtLKJksk5 o6mqP69r+AF7ukqj0CCFBzc6m9oUQ4DQmamoTmVJDy9oci9twji/PKjKbyrknZld a+6XcrbKmHQvU1izmI/ZJTtMyOAhAEZG6yOnujIRndbeTjTO/pJc5LoX0eaM7jae sYGd7U7dgvspskVZ5p0kc1CsbfwZe/oX0WUqxoQ8F1TMgFJQTQRsc4lU8f28urk4 vFGYhd2pi7PTLyNG4tDJ6/RoElEx+O+KN8Waj4zcXilL57x9l0kk0V/tpCALXfaE r7Jla1j05IxY+eM= =zDCV -----END PGP SIGNATURE-----