-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 cPanel TSR-2022-0005 Full Disclosure SEC-661 Summary Fix test used by cpsrvd to check for PHP. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 4.1 CVSS3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H Description The test to refuse to run a PHP page for resellers logged into WHM wasn't checking for the case where extra path info is added after the php extension, causing it to be run by the CGI handler. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.108.0.3 11.106.0.10 11.102.0.25 SEC-662 Summary Fix HttpRequest to not write to user home directories as root. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 9.0 CVSS3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H Description The DNS caching mechanism used in Cpanel::HttpRequest would use $Cpanel::homedir has the directory in which to store its data. There are times, like when a reseller is invokes get_update_availability, when $Cpanel::homedir is set to the reseller's home directory while the process is running as root. There is no reason to favor $Cpanel::homedir over using the home directory of the effective user. If we are running as root, we should write the DNS cache data under the /root directory. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.108.0.3 11.106.0.10 11.102.0.25 SEC-665 Summary Fix arbitrary file read in zone admin bin. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description The problem here is two-fold. First: the SWAP_IP_IN_ZONES function in the zone admin bin needs to validate the IP addresses passed into it. This will prevent attackers from using the function to pass bogus "includes" into the zone file. Second: When evaluating the "includes" while parsing the zone file, we should drop privileges to that of the domain owner. If a domain owner does not have privileges to read a file, they should not be able to include it in their zone file. Credits This issue was discovered by John Lightsey: . Solution This issue is resolved in the following builds: 11.108.0.3 11.106.0.10 11.102.0.25 SEC-666 Summary Fix maketext format string injection. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Description In some circumstances maketext was vulnerable to string injections. Resolved those by not giving the stings any special processing. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.108.0.3 11.106.0.10 11.102.0.25 SEC-667 Summary Ensure SET_SERVICE_PROXY_BACKENDS passes the caller for the username. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Description SET_SERVICE_PROXY_BACKENDS was passing a hash to set_backends_and_update_services which combined a key/value pair username/ with hash of the parameters passed into the function. If that hash had a different value set for the username key, then it would overwrite setting the calling user to be the username passed onto set_backends_and_update_services. This could allow a non-root user to set the username parameter to anything: another user, or, as illustrated in this case, a path traversal used for a security exploit. Set the value for the username key in the parameters hash to be the calling user account name. This will overwrite the value in the hash if it was already set and ensure the intended user name is passed on. Credits This issue was discovered by John Lightsey . Solution This issue is resolved in the following builds: 11.108.0.3 11.106.0.10 11.102.0.25 -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmNydX0UHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8iQxAAvPj6ukRcTTtjF1qwnYGG8LWf3s2s JEBuX8ecJuUK0BHjkLGsq3TJiuSuEZ7urBSv8aAsbBhqwPqAch2xbmmJzQShPwnC Q1lZ0y1jJz3kQxpoWRpDe2mDgCY5ST6kiQ0sHBQxCFendM2VPPdmG9FHp4yw8jDi scqm7cdhyCEjrUHBGUSJFwHxq/ojdipKZ0hMzPq/nuRAiAQHnkcXVNDFk9T0C1UF b58pFFpqT1J8dIkiENwk9G1yWxCTpU4uOLThVjoJZvaz5TRZFYSaQ4/Gu+zeVKp3 JHiFt9YdPK6WKx08aR7eP89WYDVlKkCEUD6g87VVU/egsJWZdaH/HAHhAvwVmfKf 5UENodnUrB2IhvFQ9Htz1Ma7PcoXfZI4THMdHtkIXSQb2bkH6yr/YI7MRmJaERe0 kMNEcVVHH8tpC+7juipnBVa7+p1th78etNM8eBwJL7ii3BBjwMTGE9cpdYSrlnxb EVW2m8lLynBU0i4YwL0Nmge9osHu1IPkc5IL4UbUIAaApaS/6JKJ1S2D1VuipmWO iWcavZ/QBmkKEvK6cI8lpo3X4hweXmQt+jatm9c8yAlbaEXHUgsdMChpxh0W73yO fDqRqWA4ANNCIR1F2izhsr2Rg7nJx+6YfIFBdcxKUiXUxyp8yHUZg5YGFQp+mhAI SMN/15xR5iwYyPo= =u4Ok -----END PGP SIGNATURE-----