-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2019-0002 Full Disclosure SEC-477 Summary Unsafe file operations as root in SSL certificate storage. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Description The Cpanel::SSL::Objects::Certificate::File module creates a cache file when opening and reading an SSL certificate file. The Cpanel::SSLStorage module uses this to perform operations on SSL certificates stored in the user's home directory as root. Because of this, it was possible for an attacker to overwrite and/or read root-owned files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.18 76.0.21 70.0.67 SEC-479 Summary Local root via userdata cache mis-parsing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Description The userdata cache uses a custom delimiter separated format using "==" as the delimiter. It is possible for the values in this file to contain this delimiter when written. When reading back this file, it is possible to cause other subsystems on the server into reading, writing, chmoding, and executing arbitrary files as root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.18 76.0.21 70.0.67 SEC-480 Summary Code execution via addforward API1 call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The addforward API1 call modified the destination email address after validating that it did not include prohibited EXIM redirect router values. This behavior could be abused by webmail virtual accounts to run arbitrary code on the cPanel server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.18 76.0.21 70.0.67 SEC-481 Summary Unsafe terminal capabilities determination using infocmp. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Description When generating formatted/colored text, the infocmp binary is called as root, which reads compiled terminfo files as root. This binary has its home directory set to /tmp. It was possible for a user to manipulate the terminfo files that infocmp processed. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.18 76.0.21 70.0.67 SEC-483 Summary Open mail relay due to faulty domain redirect routing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Description The EXIM configuration used for domain forwarders did not correctly escape the final destination address. This could be abused by unauthenticated remote attackers to relay email through the server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.18 76.0.21 70.0.67 SEC-484 Summary Limited file read as root via EXIM virtual_user_spam router. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Description The EXIM configuration used for routing spam email addressed to virtual email account did not correctly escape the final destination address. This could be abused by cPanel accounts to read files on the system that were inaccessible to the cPanel user. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.18 76.0.21 70.0.67 SEC-487 Summary Demo account code execution via securitypolicy.cgi. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The securitypolicy.cgi exists in the main docroot for cPanel and Webmail, and can be accessed by normal users. A user can supply POST data to this script that contains both security context and form data. This could be used to write arbitrary data to a demo account's docroot. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.18 76.0.21 70.0.67 SEC-493 Summary Remote Stored XSS Vulnerability in BoxTrapper Queue Listing. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Description The BoxTrapper_showqueue() API call provides a listing of email messages currently in the BoxTrapper queue. Subject headers displayed in this listing are HTML encoded before they are MIME decoded. This allowed for an attacker to inject arbitrary code into the displayed subject. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 78.0.18 76.0.21 70.0.67 For the PGP-signed message, please see: [SIGNED DISCLOSURE LINK] -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQJHBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAlyRRU0UHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd9YIQ/4q+F48KaY1GNzHkIZjNxhR8KgC2VY 2gMYRZGaGlzKZue5pA7PLpUCpF0fyr3LgUHfhQ+fwP73qZKwC0wRIdPN0cqutqUh pmpEdySfnAstLuDe8aDudeTv7d6qzMJ+qFbcyrxWejwdLopcOlaDr7ZgWEjE8G/W 5em7uyOul9od1wr/aHwaoHhY4wcbfS64H3AfQJ0a4wMDdIbNDjCZwxMb5oBSl45D knRnGoDGa7+jgE32JKplca5P3CYECWFdchzvoAvTJwfSp0Pe0Sx6YKA5pAG1or1B sxeNxEIF2K2S2FzVb+23oYfHVDaQO4gRV4KrSt1T3xeqTQsc1TOMrGdbN/AmWXSL W5CGBUq+QxFevNfT1qh7BnWyGA+gVtkmuGfcuFAvkXEwHi7GSyJy+2f/6iA5EXO7 22nFvzi+DeCOA8J7OzqSEIRwXQgF41sUbgQuQqi9MPCCZxGEYS6bCut72UbLyEAt dyxJ4KgAAXWepJKtkF7maIlEifjTVjVDNAg2MiPvcuHuZTOVRASasa613YuVRW37 yvsrk0+nQZW3/Xn5bHDN11FKqbevzUIa0Zml/BENKnsOfZ7ozDZ93ahNWHtGm6/R CsUilfsW5OE03k6oMn/4L8nTFiiKt+y/rawWMObxaRva3m2Fg+Tp1exS8EgVC6Ue GbAhR5hWoEfNNQ== =6ozx -----END PGP SIGNATURE-----