-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 cPanel TSR (TODO) Full Disclosure SEC-629 Summary Respect the "no_create" parameter in BoxTrapper_getemaildirs. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Description The BoxTrapper_getemaildirs function takes a parameter which tells it not to attempt to create the mail directories if they do not exist. This parameter was only being respected when the no_checks parameter was also set. Add a check of the value of the no_create parameter before attempting to create the mail directory. Failure to do so was the cause of bxd.cgi creating bogus domain directories under the mail directory. Credits This issue was discovered by William Bailey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-630 Summary Update cpanel-php73-horde to 5.2.21-1.cp1194. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Description Changelog: Update cpanel-php73-horde to 5.2.21-1.cp1194 Credits This issue was discovered by Sonar Source. https://blog.sonarsource.com/horde-webmail-account-takeover-via-email/ Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-631 Summary Check caller privileges in create_dbowner. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.0 CVSS3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Description In create_dbowner(), we need to check that the caller has the correct privileges to alter the password for the account, similar to what is done in updatehosts(). Failure to do so can allow any cPanel user to take over the root account on MySQL via the cpmysql adminbin UPDATEALL and UPDATEDBOWNER commands. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-632 Summary MySQL admin takeover via postponed dbuser creation. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 7.6 CVSS3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H Description It was possible to create a cPanel account with the username 'r_o_o_t' when MySQL was disabled on the system. If MySQL is then enabled at a later date, then the cPanel username 'r_o_o_t' would map to the username 'root' for the database user creation. This allowed the cPanel user to change their password and take over admin rights to the MySQL server. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-636 Summary Notify admin of lost demo mode restrictions. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N Description After an upgrade, admins are now notified that demo accounts with linked mail child nodes exist and is no longer a valid configuration. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-637 Summary Block remote nodes on restoration of account in demo mode. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N Description The fix for case SEC-617 addressing the failure of "demo" status to propagate to remote nodes prevents setting up an account to have linked nodes while in demo mode. But, it does not block this setup on account restoration. When restoring an account, block use of linked nodes if the account is demo mode. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-638 Summary Block cron removal on accounts with DEMO mode enabled. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Description It was possible to remove cronjobs on accounts with demo mode enabled when using legacy APIs, leaving it possible for potential attackers to cause data loss. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-639 Summary Run demo/feature check for UAPI and API1. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Description When adding UAPI1 it was possible to by pass demo mode checks using a specially crafted URL causing the request to masquerade as a UAPI call. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-641 Summary Stop exposing API tokens in account modification return data. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.0 CVSS3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L Description The account modification functions return the user data to the caller. In a multi-node setup the user data can have a WORKER_NODE element added to it which contains an API token. We shouldn't be exposing this in the return data. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 SEC-643 Summary Immediately check account ownership in massmodifyacct. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.0 CVSS3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L Description The error manifest in this case is two-fold. First, the check for account ownership occurs too late in the operation, and only for the local modification of the account. And, the way massmodifyacct is architected, a local failure will not prevent remote operations. Secondly, massmodify has been setup on such a way that there are no "undo" operations for any accounts where modifications have failed. To address the security aspect of this case, we need to check account ownership at the beginning of massmodifyacct and perform no further acction on an unauthorized account. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.25 11.104.0.3 11.102.0.18 -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmKXtBEUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd/oEBAAxh7jZIQ9lx7c5WrFCDzATJvKBrQD nD050cjR3TttYrYxRiPEEvKsILihtfKO8HFiPw4zQJVtBNp2l631RHDD7+XH8Fq7 w5P6Ck+epOTqxX5pYbk3CQ3zszZE6igPjODSfd+WZyzDKqvJ/CJjPPKRTO65J876 u/hlHZBnkVNr10w2ssnPf2FsVoCtB+vcJrASsbyzqyUyhkL5rUFVcQrYS3VAiWDs yE3dvh1tVjxw8VOFJzU0pLEeOrnTtCNLaaGzRgkAUt8jIMNKjIZ1yPpihqwW0UQG PCJg60iABUpj23VNhZniMPkq324eizOrmtCQEtAxb+pXxc0SXS6PuxA/0USnJL02 P7tf/d7sARIWsG5o/JihWlE8+8wWwEmDGmr8cGHaFDEQ2mJxlhPHXGm7GrhxmtE4 Xkj3Cq7ns5fTO2k3VMs6FNKYtDohuDL7nB4ZnPe91e09NebSFDTHjN0N65Mwpgdv 2FEFUppgypzfkDPhyYD+WyfwUoNo8wRIzOVoLZMfPFhq73I42iwwaaVjxKLAu3h6 qJtX0/cl8gDP+m9rWbYziZ/ABXS9pbi7G8wa7pXAQQLegainEZshuWs48aIdq1XP T7FANjS6N+xNIR66HhQWhCTNPwHrAdhtoKfaYiyCP3toqSfRUngjDi8ywr0bdFOi I35tYwec8Kr+rXQ= =L+ZN -----END PGP SIGNATURE-----