cPanel TSR-2018-0001 Full Disclosure

cPanel TSR-2018-0005 Announcement
cPanel TSR-2018-0001 Announcement
cPanel & WHM LTS Version 62 EOL June, 2018

cPanel TSR-2018-0001 Full Disclosure

SEC-308

Summary

SRS secret revealed in exim.conf.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

When the experimental SRS option for Exim was enabled, the secret key used to sign SRS email was visible inside the exim.conf file. This setting is now stored in a separate file that is not world-readable.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-321

Summary

Database and dbuser names were not validated during renames.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

When renaming a database or database user via either the MySQL or PostgreSQL adminbins, the new name was not verified to meet cPanel’s naming requirements. This allowed an attacker to create databases or database users with reserved or invalid names.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-324

Summary

Ownership not enforced by addpkgext and delpkgext WHM API calls.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Description

The “addpkgext” and “delpkgext” WHM API calls did not restrict modifications to packages and accounts that the reseller was authorized to change. These API calls now restrict modifications based on package and account ownership if the reseller does not have the “all” ACL.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.27

SEC-339

Summary

Backups revealed contents of directories that the user did not own.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Description

During a backup it was possible to lead the process into directories that the user did not own. The file and directory paths would then be saved to a file that was readable by the user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-342

Summary

Root’s crontab briefly world-readable when enabling backups.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

When enabling backups, it is sometimes necessary to add new entries to root’s crontab. To perform this change, a temporary file was created with a predictable name and world-readable permissions. This allowed the crontab to be read by normal users during this action.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-349

Summary

Arbitrary file read via restore adminbin.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

Race conditions in the RESTOREFILE functionality of the restore adminbin could be misused by local attackers to read any files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.27

SEC-351

Summary

Root’s crontab briefly world-readable during crontab configuration.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

When saving changes to root’s crontab through the “Configure cPanel Cron Jobs” interface in WHM, a temporary file containing root’s crontab was created with world-readable permissions.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-352

Summary

Root’s crontab briefly world-readable during post update tasks.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

During cPanel updates, root’s crontab was exposed in a world-readable temporary file by the post install task to update cPAddons.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-353

Summary

World-readable copy of httpd.conf created during syntax test.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

During httpd.conf updates on systems using EasyApache4, a copy of the httpd.conf file was created with world-readable permissions.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-354

Summary

Insecure file operations in bin/csvprocess.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Description

The csvprocess script performed file operations on predictably named files in the current working directory. If this script was run by the root user in a user-controlled directory, it was possible for an attacker to cause root owned files to be overwritten. This script has been removed and its functionality moved into the API call that previously utilized this script.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-355

Summary

World-readable archive created by archive_sync_zones script.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

When scripts/archive_sync_zones generated a backup file, the resulting archive was created with world-readable permissions.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-356

Summary

Limited arbitrary file write via telnetcrt script.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Description

The telnetcrt script attempted to change directory to a safe location to write temporary files without verifying the directory existed or that the change of directory was successful. If this script was run manually in a world-writable directory, a local attacker could symlink the temporary filenames to unsafe locations. This script is no longer used by cPanel and has been removed.

Credits

This issue was discovered by rack911labs.com.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-383

Summary

Self-XSS in cPanel Backup Restoration.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When rendering the list of files that are restored from a partial backup, appropriate HTML escaping was not performed. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by Fabian Patrik of https://websafe.hu.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-385

Summary

Self-XSS in WHM Apache Configuration Include Editor.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When rendering invalid syntax after saving new Apache includes, the context appropriate escaping was not performed. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by Fabian Patrik of https://websafe.hu.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-386

Summary

Self-Stored-XSS in WHM Account Transfer.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Account usernames were not properly HTML escaped in the transfer log header when using the Remote User Account Transfer interface in WHM. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by Fabian Patrik of https://websafe.hu.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-387

Summary

Self-XSS in WHM Spamd Startup Config.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

When saving spamd directives in WHM Spamd Startup Config, invalid configuration values were displayed without appropriate HTML escaping. This allowed arbitrary code to be injected into the rendered page.

Credits

This issue was discovered by Fabian Patrik of https://websafe.hu.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-388

Summary

World-readable files created when using WHM Apache Includes Editor.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Description

When modifying the Apache Includes via the WHM Apache Includes Editor, the new configuration is created with world-readable permissions. This allowed for this configuration to be viewed by non-privileged users.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

SEC-389

Summary

Self-XSS in WHM listips interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The WHM /scripts2/listips interface did not escape user input and backend error messages when displaying javascript notices.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/01/TSR-2018-0001.disclosure.signed.txt

COMMENTS