cPanel TSR-2019-0006 Full Disclosure
SEC-499
Summary
Authentication bypass due to variations in webmail username handling.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
The process used to normalize and validate webmail account names was not consistent across different authentication subsystems. Because of these discrepancies, authenticated cPanel users could gain access to other cPanel and Webmail accounts on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43
SEC-508
Summary
Account suspension bypass via virtual mail accounts.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The authentication logic for some subsystems relied entirely on data stored in the cPanel account’s home directory for the enforcement of account suspensions. A cPanel user could take advantage of this behavior to retain access to virtual email accounts after the user’s system account was suspended.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43
SEC-516
Summary
Authentication bypass due to faulty password file format parsing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
The functions in cPanel & WHM that handled password and shadow file lookups did not enforce the constraints of this file format. This behavior could be misused by authenticated attackers to gain access to other accounts on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43
SEC-520
Summary
Self-XSS due to faulty JSON string escaping.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
The escaping method used for some JSON string interpolation in cPanel & WHM interface templates did not escape all possible character combinations unambiguously.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43
SEC-525
Summary
Cpanel::Rand::Get can produce predictable output.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
When the /dev/urandom device is not initialized, Cpanel::Rand::Get initializes Perl’s random number generation with data from the server’s environment. This data could be predictable and when used as a seed, could cause predictable random numbers to be generated.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43
SEC-531
Summary
MySQL dump streaming allowed reading all databases.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description
The MySQL database dump streaming functionality passed database names to the mysqldump binary in an ambiguous fashion. An authenticated attacker could misuse this behavior to read all databases on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
SEC-532
Summary
Root chown on arbitrary paths in cPanel log processing.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Description
When processing logs to calculate bandwidth, symlinks to the processed logs are created in the user’s home directory. An attacker can intercept this process to cause the ownership of an arbitrary file to be changed to the attacking user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43
SEC-533
Summary
Stored XSS Vulnerability in WHM Backup Restoration.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description
Error messages displayed in the WHM Backup Restoration interface were not adequately encoded. Due to this, it was possible for an attacker to inject arbitrary code into the rendered page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43
SEC-534
Summary
WebDAV authentication bypass due to faulty connection sharing logic.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Description
Client authentication was not validated correctly when multiple WebDAV clients connected to the cpdavd daemon through a proxy server. Subsequent requests in a keepalive connection could inherit the authentication of prior requests.
Credits
This issue was discovered by Martin Rouf.
Solution
This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43
For the PGP-signed message, please see: https://news.cpanel.com/wp-content/uploads/2019/11/TSR-2019-0006.disclosure.signed.txt.
مدیریت سرور پشتیبانی و مشاوره – ثبت دامنه