cPanel TSR-2018-0002 Full Disclosure
cPanel TSR-2018-0002 Full Disclosure
SEC-338
Summary
Arbitrary file chmod during legacy incremental backups.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Description
It was possible for a user to prepare their home directory in a way that after a series of incremental backups they could chmod arbitrary files on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-357
Summary
Self-XSS in WHM cPAddons showsecurity Interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The addon parameter to the cPAddons showsecurity interface is not adequately encoded when included in the final rendered page. This allowed for arbitrary scripts to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
SEC-359
Summary
Code execution via ‘.’ in @INC during perl syntax check of cpaddonsup.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Description
The syntax check performed during /scripts/cpaddonsup did not use the fully qualified path to the cPanel distributed perl interpreter. This could allow an attacker to execute arbitrary code if root executed this script in a user controlled directory.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-362
Summary
Demo account code execution via awstats.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The awstats application can be abused to execute arbitrary code on the server. This can be used by demo accounts to execute arbitrary code.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-364
Summary
Root accesshash revealed by WHM /cgi/trustclustermaster.cgi.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
Description
A logic error in /cgi/trustclustermaster.cgi potentially exposed root’s accesshash when executed by a reseller with the DNS Clustering ACL.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-368
Summary
OpenID providers can inject arbitrary data into cPanel session files.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Description
cPanel session files are not capable of handling values including newlines. When linking accounts, OpenID Connect provider data is directly passed from the remote provider into the session. If this data includes a newline, it is possible to corrupt the session, allowing login to non-linked accounts.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-369
Summary
Stored XSS in WHM Edit DNS Zone.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
When saving a modified DNS zone, the MX records are parsed in order to reconfigure mail routing. This parsing process is not correct and processes non-MX records by mistake. This in combination with insufficient encoding of output error messages allowed for an attacker to inject arbitrary code into the rendered page when a DNS zone is saved.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-370
Summary
Stored XSS in WHM Edit MX Entry.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
When saving a modified MX record, the MX records are parsed in order to reconfigure mail routing. This parsing process is not correct and processes non-MX records by mistake. This in combination with insufficient encoding of output error messages allowed for an attacker to inject arbitrary code into the rendered page when a MX record is saved.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-372
Summary
Remote Stored XSS in WHM DNS Cluster.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When viewing the list of currently configured DNS Cluster server members, the server version did not perform context appropriate escaping. This could allow an attacker to execute arbitrary code in the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-373
Summary
Remote Stored XSS in WHM Create Account.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When creating an account while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-374
Summary
Remote Stored XSS in WHM Edit DNS Zone.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When editing DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-375
Summary
Remote Stored XSS in WHM Delete a DNS Zone.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When deleting DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-376
Summary
Remote Stored XSS in WHM DNS Cleanup.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When cleaning up DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-377
Summary
Remote Stored XSS in WHM Synchronize DNS Records.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When syncing DNS zones while an attacker controlled DNS cluster server is configured, messages passed back from DNS Admin did not apply context appropriate escaping. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-378
Summary
Arbitrary file read and unlink via WHM style uploads.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.6 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Description
A logic error in the handling of file uploads allowed attackers with the “manage-styles” ACL to read or unlink any file on the server with root’s effective permissions.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-379
Summary
Local privilege escalation via WHM Legacy Language File Upload interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
A logic error in the handling of file uploads allowed attackers with the “locale-edit” ACL to read, write and chmod files with root’s effective permissions. A local attacker could misuse this behavior to run arbitrary code at the root user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-380
Summary
Local privilege escalation via WHM Locale XML Upload interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
A logic error in the handling of file uploads allowed attackers with the “locale-edit” ACL to read, write and chmod files with root’s effective permissions. A local attacker could misuse this behavior to run arbitrary code at the root user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-382
Summary
Jailshell breakout via incorrect crontab parsing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Description
There was a mismatch between what the crontab daemon considers whitespace versus the validation applied against new cron entries. This allowed for an attacker to set entries to be run by an arbitrary shell resulting in escape from jailshell.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-391
Summary
Remote Stored XSS in cpaddons vendor interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
When adding a 3rd party vendor to the cpaddons interface, the output was not properly escaped. This allowed remotely stored malicious files to execute arbitrary code in the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-392
Summary
Open redirect via /unprotected/redirect.html endpoint.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Description
The redirect script present at /unprotected/redirect.html does not adequately validate the redirect path parameter. This allowed for a redirect to arbitrary URLs.
Credits
This issue was discovered by Georgi Vasilev of siteground.com.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-401
Summary
Htaccess restrictions bypass when “Htaccess Optimization” enabled.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
The “Htaccess Optimization” functionality introduced in cPanel & WHM version 66 allowed the bypassing of account suspensions and .htaccess based access controls with some configurations. This funtionality has been disabled and will be replaced with an alternative optimization method in a future update.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
SEC-405
Summary
Demo account code execution via cPanel Landing Page.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Description
The app_name parameter used in the cPanel Landing Page template could be abused to additionally process a template controlled by a cPanel user. This can be used by demo accounts to execute arbitrary code.
Credits
This issue was discovered by Fabian Patrik of websafe.hu.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-406
Summary
Apache logs exposed by creation of certain domains.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Description
A reseller could create a domain that would use and change ownership of already existing domain log files. These domains use the “.localhost” TLD. It is no longer possible to create a domain with the aforementioned TLD.
Credits
This issue was discovered by rack911labs.com.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-410
Summary
Stored XSS in WHM Edit DNS Zone.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
When editing a DNS zone, error messages for a zone that can not be parsed correctly are returned to the user. These error messages are not sufficiently encoded. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-411
Summary
Email account suspensions can be applied to unowned accounts.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Description
It was possible for a user to suspend or unsuspend email accounts they did not own by taking advantage of email account names that contained newlines.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-412
Summary
Stored XSS in WHM Reset a DNS Zone.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
When resetting a DNS zone, error messages for a zone that can not be parsed correctly are returned to the user. These error messages are not sufficiently encoded. This allowed arbitrary code to be injected into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
62.0.42
SEC-371
Summary
Any user is able to shut down Solr.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Description
The solr daemon stop key is passed to the daemon on the command line when it is started. This value is visible in the process listing when the daemon is running. Other users are able to see this, allowing a potential attacker to shutdown the daemon at any time.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
70.0.23
68.0.33
For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2018/03/TSR-2018-0002.disclosure.signed.txt