{"id":12514,"date":"2019-04-24T18:58:17","date_gmt":"2019-04-24T18:58:17","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=56605"},"modified":"2019-04-24T18:58:17","modified_gmt":"2019-04-24T18:58:17","slug":"cpanel-tsr-2019-0002-full-disclosure%ef%bb%bf","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2019-0002-full-disclosure%ef%bb%bf\/","title":{"rendered":"cPanel TSR-2019-0002 Full Disclosure\ufeff"},"content":{"rendered":"
\"\"<\/div>\n

Yesterday cPanel released<\/a> new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update.<\/p>\n

Information on cPanel\u2019s security ratings is available at\u00a0https:\/\/go.cpanel.net\/securitylevels<\/a>.<\/p>\n

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.<\/p>\n

SEC-477<\/strong><\/p>\n

Summary<\/strong>
\nUnsafe file operations as root in SSL certificate storage.
\nSecurity Rating<\/strong>
\ncPanel has assigned this vulnerability a CVSSv3 score of 5.6 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:C\/C:H\/I:N\/A:N
\nDescription<\/strong>
\nThe Cpanel::SSL::Objects::Certificate::File\u00a0module creates a cache file when opening and reading an SSL certificate file. The Cpanel::SSLStorage\u00a0module uses this to perform operations on SSL certificates stored in the user\u2019s home directory as root. Because of this, it was possible for an attacker to overwrite and\/or read root-owned files.
\nCredits<\/strong>
\nThis issue was discovered by the cPanel Security Team.
\nSolution<\/strong>
\nThis issue is resolved in the following builds:78.0.1876.0.2170.0.67<\/p>\n

SEC-479<\/strong><\/p>\n

Summary<\/strong>
\nLocal root via\u00a0userdata\u00a0cache\u00a0mis-parsing.
\nSecurity Rating<\/strong>
\ncPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H
\nDescription<\/strong>
\nThe\u00a0userdata\u00a0cache uses a custom delimiter separated format using \u201c==\u201c as the delimiter. It is possible for the values in this file to contain this delimiter when written. When reading back this file, it is possible to cause other subsystems on the server into reading, writing,\u00a0chmoding, and executing arbitrary files as root.
\nCredits<\/strong>
\nThis issue was discovered by the cPanel Security Team.
\nSolution<\/strong>
\nThis issue is resolved in the following builds:78.0.1876.0.2170.0.67<\/p>\n

SEC-480<\/strong><\/p>\n

Summary<\/strong>
\nCode execution via\u00a0addforward\u00a0API1 call.
\nSecurity Rating<\/strong>
\ncPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:L\/A:L
\nDescription<\/strong>
\nThe\u00a0addforward\u00a0API1 call modified the destination email address after validating that it did not include prohibited EXIM redirect router values. This behavior could be abused by webmail virtual accounts to run arbitrary code on the cPanel server.
\nCredits<\/strong>
\nThis issue was discovered by the cPanel Security Team.
\nSolution<\/strong>
\nThis issue is resolved in the following builds:78.0.1876.0.2170.0.67<\/p>\n

SEC-481<\/strong><\/p>\n

Summary<\/strong>
\nUnsafe terminal capabilities determination using infocmp.
\nSecurity Rating<\/strong>
\ncPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N
\nDescription<\/strong>
\nWhen generating formatted\/colored text, the\u00a0infocmp\u00a0binary is called as root, which reads compiled\u00a0terminfo\u00a0files as root. This binary has\u00a0its\u00a0home directory set to \/tmp. It was possible for a user to manipulate the\u00a0terminfo\u00a0files that\u00a0infocmp\u00a0processed.
\nCredits<\/strong>
\nThis issue was discovered by the cPanel Security Team.
\nSolution<\/strong>
\nThis issue is resolved in the following builds:78.0.1876.0.2170.0.67<\/p>\n

SEC-483<\/strong><\/p>\n

Summary<\/strong>
\nOpen mail relay due to faulty domain redirect routing.
\nSecurity Rating<\/strong>
\ncPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:L\/A:N
\nDescription<\/strong>
\nThe EXIM configuration used for domain forwarders did not correctly escape the final destination address. This could be abused by unauthenticated remote attackers to relay email through the server.
\nCredits<\/strong>
\nThis issue was discovered by the cPanel Security Team.
\nSolution<\/strong>
\nThis issue is resolved in the following builds:78.0.1876.0.2170.0.67<\/p>\n

SEC-484<\/strong><\/p>\n

Summary<\/strong>
\nLimited file read as root via EXIM virtual_user_spam router.
\nSecurity Rating<\/strong>
\ncPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:N\/A:N
\nDescription<\/strong>
\nThe EXIM configuration used for routing spam email addressed to virtual email account did not correctly escape the final destination address. This could be abused by cPanel accounts to read files on the system that were inaccessible to the cPanel user.
\nCredits<\/strong>
\nThis issue was discovered by the cPanel Security Team.
\nSolution<\/strong>
\nThis issue is resolved in the following builds:78.0.1876.0.2170.0.67<\/p>\n

SEC-487<\/strong><\/p>\n

Summary<\/strong>
\nDemo account code execution via securitypolicy.cgi.
\nSecurity Rating<\/strong>
\ncPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:L\/A:L
\nDescription<\/strong>
\nThe\u00a0securitypolicy.cgi exists in the main\u00a0docroot\u00a0for cPanel and\u00a0Webmail,\u00a0and can be accessed by normal users. A user can supply POST data to this script that contains both security context and form data. This could be used to write arbitrary data to a demo account\u2019s\u00a0docroot.
\nCredits<\/strong>
\nThis issue was discovered by the cPanel Security Team.
\nSolution<\/strong>
\nThis issue is resolved in the following builds:78.0.1876.0.2170.0.67<\/p>\n

SEC-493<\/strong><\/p>\n

Summary<\/strong>
\nRemote Stored XSS Vulnerability in BoxTrapper Queue Listing.
\nSecurity Rating<\/strong>
\ncPanel has assigned this vulnerability a CVSSv3 score of 6.1 CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N
\nDescription<\/strong>
\nThe BoxTrapper_showqueue() API call provides a listing of email messages currently in the BoxTrapper queue. Subject headers displayed in this listing are HTML encoded before they are MIME decoded. This allowed for an attacker to inject arbitrary code into the displayed subject.
\nCredits<\/strong>
\nThis issue was discovered by the cPanel Security Team.
\nSolution<\/strong>
\nThis issue is resolved in the following builds:78.0.1876.0.2170.0.67<\/p>\n

For the PGP-signed message, please see:\u00a0TSR-2019-0002 Full Disclosure<\/a><\/p>\n

\u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0648 \u0645\u0634\u0627\u0648\u0631\u0647 – \u062b\u0628\u062a \u062f\u0627\u0645\u0646\u0647<\/p>\n","protected":false},"excerpt":{"rendered":"

Yesterday cPanel released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. Below is the full disclosure of the changes included in that update. Information on cPanel\u2019s security ratings is available at\u00a0https:\/\/go.cpanel.net\/securitylevels. If your deployed cPanel & WHM servers are configured to …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-12514","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/12514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=12514"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/12514\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=12514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=12514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=12514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}