-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 SEC-646 Summary Explicitly set the error log in scripts/cleanphpsessions.php. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H Description If /usr/local/cpanel/scripts/cleanphpsessions.php is run via system php (not "our" php), it will dump errors into an error log in the working directory. This could allow for a symlink attack. Explicitly set the error log to be the same error log that "our" php uses. Credits This issue was discovered by RACK911. Solution This issue is resolved in the following builds: 11.106.0.3 11.104.0.8 11.102.0.21 SEC-652 Summary Fix Self-XSS vulnerability in ModSec Tools interface. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N Description Add escaping needed so error/warning messages properly display offending content as text rather than attempting to render it. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.106.0.3 11.104.0.8 11.102.0.21 SEC-653 Summary Prevent arbitrary file reading via DNS zone parsing. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Parsing a DNS zone will result in the any include file contents being read and incorporated into the zone data. If this occurs as a result of an AdminBin call by a cPanel user, the parse operation will run as root allowing a non-privileged account read any file on the system. Before loading the include file contents, check for a non-root calling user, and if so, drop privileges before reading the file. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.106.0.3 11.104.0.8 11.102.0.21 SEC-654 Summary Fix XSS in WHM ModSec Vendors interface. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N Description We need to escape the error message from a failed "Save" operation before displaying it. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.106.0.3 11.104.0.8 11.102.0.21 SEC-655 Summary Verify domain ownership in subdomain admin module. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 5.0 CVSS3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L Description When an adminbin call is made to delete a subdomain, there is no initial check to validate the caller's ownership of the domain. The call to delete the subdomain eventually errors out; but, only after disabling PHP-FPM for the domain. Have the subdomain admin module validate domain ownership before attempting any action on the domain. This is also needed for the call to change the document root for a domain and ownership of the root domain needs to be validated when creating a subdomain. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.106.0.3 11.104.0.8 11.102.0.21 SEC-658 Summary Fix MySQL admin takeover via postponed dbuser creation. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 7.6 CVSS3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H Description When an account is created we check the proposed account name for collisions with database user names. However, we skip this check when the database service has been disabled. This can allow for database account takeovers when the database service has been re-enabled. If the database service is disabled, at least check the map file for name collisions. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.106.0.3 11.104.0.8 11.102.0.21 -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmL6eF4UHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8w9g//VNYLNmovKXNHQe9bFiSOUp/+t5Ib HNNPdq0o9m0rvLMSpPxxaP6F2nlc02+vBvGPepJrjt6apTVPHusJLLtKGpwHdJ+b n1xX0o349irv/397AWZjLRU92FUNSh2j5AuGX7O8AHjUfMY+YCioBeSqrYE5jeOT 2f9Rm9EvX9/W24f+8iYgrWeLY7zDhZ6pqvP7KWdprLIkhCggka1DQa2q/gK9CIk5 VZR6DCD2QFzeft3negq5eR7xX8kIphwCnca7NcFtFshVcYg/ytkIzmVrlcbzum0R PJm6wVofklez5Ifr1PGr0HZSgU6oXJnUGTkJjyS2N4v/9KRWuc/j+lkv8ps6NJVm vYqwxtge9uBQo+jEiY+dHU5F8t8b7yrIBMhmNdVpxpW5ovCOSbGJm2VTYaXA3Unf H06yqCwHFSow7p0vGemL+WesR3X9PblPSV3NaJo8veSR6x22UWsR4DifX2PyUgfI mfefmyBHqk2UjXNZMzxjnsmYQE5bGS78gomnBJxStW/LR1SU/zYcW77oKtuPsgBx 4QIMLJdlniNqSZBRvhPvfJFC0fFrPRd8z6miR8E1cljd7GsY385D8EwFaLmp+Z/S 4OiOj7WWMl94PHvDc1tnBOjmjrWUrKKuXb1MSwSJ755OEEeuhTajsoXW8lcCtKJq VUDQXCBa3d0MEHQ= =mrwZ -----END PGP SIGNATURE-----