-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2020-0001 Full Disclosure SEC-515 Summary Self-XSS vulnerability via temporary character set specification. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description cPanel & WHM and its APIs allow you to specify a temporary character set to use for HTTP responses. Most interfaces and APIs do not expect to have the character set of their responses changed. This confusion could allow for an attacker to cause the rendering browser to parse and execute code. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:I don't 11.84.0.20 11.78.0.45 SEC-535 Summary Self-stored XSS vulnerability in HTML file editor. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Description The cPanel HTML file editor displays error messages when failing to open a file. These error messages were not adequately encoded. It was possible to manipulate these error messages to include HTML markup that would be rendered by the user's browser. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 11.78.0.45 SEC-537 Summary Arbitrary code execution as root via dnsadmin when using PowerDNS. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Description The name server configuration logic for PowerDNS allowed additional positional parameters to be injected when calling the pdns_control command. By injecting malicious data into these parameters, it was possible for a malicious reseller with the clustering ACL to execute arbitrary code on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 11.78.0.45 SEC-541 Summary Feature and demo restrictions not enforced for WebDisk UAPI calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Description Refactoring of the feature and demo access restriction code removed enforcement of these restrictions on all WebDisk UAPI calls. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 11.78.0.45 SEC-542 Summary Demo checks enforced incorrectly in Market UAPI namespace. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Description The API calls available in the Market UAPI namespace did not limit the actions of demo accounts properly. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 11.78.0.45 SEC-543 Summary Demo account file modifications through Branding API calls. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Description Restrictions on demo accounts for several Branding API1 and API2 calls were not properly enforced. In some configurations this allowed demo accounts to read and write arbitrary files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 11.78.0.45 SEC-544 Summary Demo account remote code execution via cpsrvd rsync shell. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Description The cPanel server includes rsync remote file transfer functionality. The access controls limiting demo account usage of this functionality was ineffective. This could be abused by a demo account user to execute arbitrary code on the server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 SEC-545 Summary Root remote code execution for resellers via cpsrvd rsync shell. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Description The cPanel server includes rsync remote file transfer functionality. The access controls limiting reseller usage of this functionality was ineffective. This could be abused by any reseller to execute arbitrary code as the root account. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 SEC-546 Summary Demo account code execution via PassengerApps APIs. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Description When registering a Passenger application, the 'ensure_deps' API will install dependencies according to a configuration file within the application directory. Demo accounts were not restricted from invoking this API call, allowing the execution of arbitrary code on the server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 11.78.0.45 SEC-547 Summary Arbitrary file deletion for Webmail and Demo accounts. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Description Functionality intended to handle JSON POST data submitted in HTTP requests did not apply input filtering required to distinguish file uploads from other form parameters. A malicious webmail or demo account could misuse this behavior to delete files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.84.0.20 11.78.0.45 For the PGP-signed message, please see: https://news.cpanel.com/wp-content/uploads/2020/01/TSR-2020-0001.disclosure.signed.txt. -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAl4mBxMUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8EHA/7BmcOPfSLPlCZD9V2n2CjOcnoVv/t EDmEVWo3Eyyk/tnc5OHcBusVaZYj44gep5KXZLwAPfjxEOy5K+JXpqCnTZxf5FNy /rmWl+4ZwaPq/9qyjkzeOM/K6oo7KyWuIZSp5n1serbAkhe9ME9LHGDL7cicTNgW qtFzQykHIvY4TX+kS6UdNPyGg86ZWqwes/ltbCVaxOir+QNT1Yi93SkZcYxV9lfk tiTEDcYqegkODBkZj5xuLQYHnqlgRcO6FY8BAwFF2sJTYZ+E+BrXCd/QjU+FuRAw KblCNBfxksN29dBv30eeJBjFeTaQxFEU3U7zNxmcte90lQG93qHddY20nG+nmTML 05aoK3OrlymlxsKezqP6ouVRQjQVU3+OJO/zrqNM1vP8sCPBnvkLF3VIEn26dFIE rBefIYmw+9eHuCB6UqLfMw/kGrpGCRI2FkdlZin4NDdzbBC+YI1UF/THlsT2oVEl cpCuwmfzexmUsxcto9650qJN1ACA+rCdgk74hCJP01v0834kxk0RgBNZ5afCRMEB rndFstOGJyxxdSB92d+1UuJAP/wmz1GsTqjxYTzzqxmfVqiGXes3/paHhKBu46z9 msfnX5HddPMKutN5adDZMCdghjBC6lYxkhTi2Izq3kBYW15/FhT2tx9wJMgHAMvP oCv0+6cBR2e0Ggs= =wesY -----END PGP SIGNATURE-----