-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2019-0001 Full Disclosure SEC-415 Summary Internal data disclosed to OpenID providers. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Description The "state" parameter passed to OpenID providers during OpenID authentication included connection information that was not necessary for the OpenID provider to authenticate the user. The connection state information is now stored in the user's session. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.2 76.0.18 70.0.63 SEC-460 Summary Demo accounts allowed to link with OpenID providers. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description cPanel and Webmail demo accounts are normally prevented from modifying their own authentication settings. This restriction was not enforced correctly during the initial OpenID handshake performed by cpsrvd. As a result, demo accounts could be linked with an OpenID provider from the login interfaces. Changelog: Demo accounts allowed to link with OpenID providers. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.2 76.0.18 70.0.63 SEC-466 Summary Arbitrary file read via Passenger adminbin. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Description When setting up a new Passenger application, the configuration values passed in by the user are not adequately validated. This results in invalid values placed into the Apache configuration file. This can allow for arbitrary data to be read by the user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.2 76.0.18 70.0.63 SEC-472 Summary Maketext format string injection in Email "store_filter" UAPI. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description The Email "store_filter" UAPI call passes an error message directly as a Locale::Maketext format string. It is possible to craft a filter to manipulate this error message and execute arbitrary code. Changelog: Maketext format string injection in Email "store_filter" UAPI. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.2 76.0.18 SEC-473 Summary Demo account limited arbitrary file write via DCV UAPI calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N Description The "check_domains_via_http" and "ensure_domains_can_pass_dcv" UAPI calls in the module are allowed for demo accounts. These calls accept a filename, extension, and a set of allowed characters to write into the DCV file. A demo account can misuse this functionality to create files on the server with limited control over their contents. Changelog: Demo account limited arbitrary file write via DCV UAPI calls. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.2 76.0.18 70.0.63 SEC-474 Summary Maketext format string injection in DCV "check_domains_via_dns" UAPI. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description The DCV "check_domains_via_dns" UAPI call passes an error message directly as a Locale::Maketext format string. It is possible to insert data into the DCV file in order to manipulate this error message and execute arbitrary code. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.2 76.0.18 SEC-476 Summary Limited file write as shared users during connection resets. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description During asynchronous HTTP connection resets, cpsrvd processed any pending POST data. In some scenarios, this would write files to a cPanel user's home directory with the wrong user and group IDs. Changelog: Limited file write as shared users during connection resets. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.2 76.0.18 70.0.63 SEC-478 Summary Userdata cache temporary file can conflict with domains. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description When rebuilding the userdata "cache.json" file, a temporary file is created using a non-reserved file extension. A user may create a domain with a name that conflicts with this file. This can corrupt or interrupt the proper operation of the cache file. Changelog: Userdata cache temporary file can conflict with domains. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.2 76.0.18 70.0.63 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAlxHOkwUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd/e/w//f2h7lEkdCu6jJVhmuTEofof53Idf iJw9g2qUrVH0jhBQElN36C+QduwEFKWR5Aq79+WKVGkvuxzZpKqzFhH9wm1FiMzA 1x8KpVBSog4t7vpGouJwwMnkzz/Iatx4N3VzUuokQiI2kEwHL7F8nxPb+rbO4kjm byJUVOr9nnfQJe4ROOBToKXCl5IoXQa1XZNYaG/VjoO6DqtlE/tD90qBsRyt0nsl 1UALY/ShxgBEOLC00hK01Vc9hZtsGCquZjTyLE+8T1+oisSg6TYsSuzVZq9/wr7v NIMwk2sex+WqyzCpOabVEv4qD+fPFx2kbTQu678K7pFYpg/uCOtgm/WOPaFM1/1M NVmsjk+Q7MzFfpBonxPXxzUSgOkHlm2sv4YWLOOgBh4YVXG+5m70pwcE7vAsZW8n aoEGFoMRBVydQVXr2SZ3M0FXebVJZKZGu6e+GGVJBnN4X8jV+oqDcXyBZvkBO6HU T1qd8XcKJvhW+25FHGWIoX1M0VwgQ/0U7+MwYW+76pw5Pfr5DvSOWGN9yP2xUxeI tlj4C3TJd7zJ6wsrugHrawAl+ET2G0gcm+vpXxxo60RlbkI+yRPSQtSByqaIRqvE lREaAT7Hkld4sDT+B3dqJUfNZQs1Rk6+pzCfBqArOiI4jhZ2I650kZ+MppANtChN CaRxV2lbgT7sxV8= =uVxI -----END PGP SIGNATURE-----