-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2019-0003 Full Disclosure SEC-486 Summary Local code execution as other cPanel accounts via insecure cpphp execution. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L Description Files with the 'cpphp' and 'php' file extensions inside cPanel themes are processed first by the cPanel tag parser engine, then by the php-cgi binary. During the secondary processing by the PHP engine, the working directory was switched to an insecure location that could contain malicious INI files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.80.0.5 11.78.0.24 SEC-489 Summary Unsafe file operations as root via fetch_ssl_certificates_for_fqdns API. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Description The fetch_ssl_certificates_for_fqdns API call utilizes the Cpanel::SSL::Search::fetch_users_certificates_for_fqdns() function to search for and load SSL certificates for a user's domain from the user's home directory as the root user. During this process a cache file is created. Because of this, it was possible for an attacker to overwrite and/or read root-owned files. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.80.0.5 11.78.0.24 SEC-494 Summary Queueprocd log is created with world readable permissions. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description The process by which the queueprocd log is created was recently modified, causing it to be created with world-readable permissions. This log file could potentially contain sensitive information. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.80.0.5 11.78.0.24 SEC-495 Summary API Analytics adminbin allows arbitrary data to be inserted into log. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description The only restriction on data passed to the LOG_OPERATION function of the API Analytics adminbin is that it must not contain newlines, and must start and end with curly brackets. Any other arbitrary data could be written to this log file. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.80.0.5 11.78.0.24 SEC-496 Summary Arbitrary file modification for demo accounts via extractfile API1 call. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Description The Fileman::extractfile API1 function was incorrectly set to allow demo account access. This API call could be abused to modify any files in the demo account's home directory. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.80.0.5 11.78.0.24 SEC-498 Summary Demo account code execution via ajax_maketext_syntax_util.pl. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Description The ACL and Demo check subroutine in ajax_maketext_syntax_util.pl was refactored to avoid use of the DEMO environment variable. This caused the script to allow execution when called by any cPanel user, including demo accounts. This could allow for execution of arbitrary code by demo account users. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.80.0.5 11.78.0.24 -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAlzkDawUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd/QMBAAwfr2zUdaCQt6LPtl439hhCvxRiJV /fPbdsOy6tEb2f1rft3RyUZZroU1EDOwlQM5Gc8NRSOZSQrwbejW72SeuXcjie4u QSByk4gOVOEciJD7RhKwgDlMEnrED9CDMRFy19i8mnMSpFzmh4b+F9ZqUXSN3k+d FF4vJXqhdp1Sf9Sj9bf0pEshLegbQ3SvMoeBsoU1bX59leEbaZw3/qqO+WKJBc0u 4+vsM50V2ZCc/qoazwHwsPb9BwnbjLjA5sU7eUc28JKENpHEWqSi7WKdM58qGtSm wWN5n74zLjmv/AfjZ2KL4WCl/+ZWeGOA1wc7jpbz1maKl7XvnGcIQUoyX4yKCKU1 f3VGUqhtiFijxr6ug5gFRlyLNrDMbOgg/m3i7f2eGPPB1Cqx+4PMPj8vux4HeVNl 8zUoIwUfi5IvfHFul1YFvp8I500Uke+DP4Zw/J2wI0MVHAlHxdIUpJjBZMSf51QW zC27oebb7/noKXrn88XYd0aYkEq/jY/MimdMqfLX0GbQFNY/wTgkjlHO2xVnUnJv pEjph9pVpCGPQgoC1TdAUn1WJpQEIjwq8IAmGUfk9u1p/owZzy8MmMHluzN+cBZA VyChEJK+IMbEVTZlZfib6OnlnNaunGk17LR1vs5d5n3rwS6SCF+S4LKVBWqrqNMP nAD0q4H7i+0O/j0= =n21I -----END PGP SIGNATURE-----