{"id":12902,"date":"2019-07-17T21:06:36","date_gmt":"2019-07-17T21:06:36","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=57287"},"modified":"2019-07-17T21:06:36","modified_gmt":"2019-07-17T21:06:36","slug":"cpanel-tsr-2019-0004-full-disclosure%ef%bb%bf","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2019-0004-full-disclosure%ef%bb%bf\/","title":{"rendered":"cPanel TSR-2019-0004 Full Disclosure\ufeff"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/news.cpanel.com\/wp-content\/uploads\/2017\/01\/og-cPnews-1.jpg\" class=\"ff-og-image-inserted\" alt=\"\" title=\"\"><\/div>\n<p>Yesterday&nbsp;<a href=\"https:\/\/news.cpanel.com\/tsr-2019-0004-announcement\/\" target=\"_blank\" rel=\"noopener\">cPanel released<\/a>&nbsp;new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel &amp; WHM product. Below is the full disclosure of the changes included in that update.<\/p>\n<p>Information on cPanel\u2019s security ratings is available at&nbsp;<a href=\"https:\/\/go.cpanel.net\/securitylevels\" target=\"_blank\" rel=\"noopener\">https:\/\/go.cpanel.net\/securitylevels<\/a>.<\/p>\n<p>If your deployed cPanel &amp; WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel &amp; WHM installations at your earliest convenience.<\/p>\n<p><strong>SEC-501<\/strong><\/p>\n<p><strong>Summary<br \/><\/strong>Demo account remote code execution via faulty URI dispatching.<br \/><strong>Security Rating<br \/><\/strong>cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:L<br \/><strong>Description<br \/><\/strong>Errors in the dispatching logic for email autoconfiguration URIs allowed demo accounts to execute functions in the cpanel templating engine that are normally prohibited.<br \/><strong>Credits<br \/><\/strong>This issue was discovered by the cPanel Security Team.<br \/><strong>Solution<br \/><\/strong>This issue is resolved in the following builds:<br \/>11.80.0.22<br \/>11.78.0.34<\/p>\n<p><strong>SEC-504<\/strong><\/p>\n<p><strong>Summary<br \/><\/strong>Stored-XSS vulnerability in WHM Tomcat Manager interface.<br \/><strong>Security Rating<br \/><\/strong>cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N<br \/><strong>Description<br \/><\/strong>The status messages displayed when disabling Tomcat for a cPanel account were not adequately escaped. It was possible for the user to manipulate the content of these status messages. This allowed cPanel accounts to inject arbitrary HTML on the rendered page.<br \/><strong>Credits<br \/><\/strong>This issue was discovered by the cPanel Security Team.<br \/><strong>Solution<br \/><\/strong>This issue is resolved in the following builds:<br \/>11.82.0.2<br \/>11.80.0.22<br \/>11.78.0.34<\/p>\n<p><strong>SEC-506<\/strong><\/p>\n<p><strong>Summary<br \/><\/strong>Self XSS vulnerability in cPanel and webmail master templates.<br \/><strong>Security Rating<br \/><\/strong>cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<br \/><strong>Description<br \/><\/strong>All cPanel and webmail interfaces include a username header at the top of the rendered pages. It was possible to manipulate what is displayed in this header by visiting certain non existent webmail accounts. This allowed arbitrary HTML to be injected into the rendered page.<br \/><strong>Credits<br \/><\/strong>This issue was discovered by the cPanel Security Team.<br \/><strong>Solution<br \/><\/strong>This issue is resolved in the following builds:<br \/>11.82.0.2<br \/>11.80.0.22<br \/>11.78.0.34<\/p>\n<p><strong>SEC-507<\/strong><\/p>\n<p><strong>Summary<br \/><\/strong>Unauthenticated file creation vulnerability via Exim log parsing.<br \/><strong>Security Rating<br \/><\/strong>cPanel has assigned this vulnerability a CVSSv3 score of 6.8 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:C\/C:N\/I:H\/A:N<br \/><strong>Description<br \/><\/strong>The cPanel Tailwatch daemon determines when to notify an account about excessive email sending by parsing the Exim log. It keeps track of which accounts have been notified using flag files. It was possible to inject data into the Exim log that would cause these flag files to be created in arbitrary locations.<br \/><strong>Credits<br \/><\/strong>This issue was discovered by the cPanel Security Team.<br \/><strong>Solution<br \/><\/strong>This issue is resolved in the following builds:<br \/>11.82.0.2<br \/>11.80.0.22<br \/>11.78.0.34<\/p>\n<p><strong>SEC-510<\/strong><\/p>\n<p><strong>Summary<br \/><\/strong>Root MySQL password revealed to local accounts.<br \/><strong>Security Rating<br \/><\/strong>cPanel has assigned this vulnerability a CVSSv3 score of 7.3 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H<br \/><strong>Description<br \/><\/strong>A new MySQL password is generated and configured for the root account when no MySQL client configuration file is present during the installation of cPanel &amp; WHM. The code to generate the new password was faulty, leaving some systems with root MySQL passwords that could be discovered by local attackers.<br \/><strong>Credits<br \/><\/strong>This issue was discovered by the cPanel Security Team.<br \/><strong>Solution<br \/><\/strong>This issue is resolved in the following builds:<br \/>11.82.0.2<br \/>11.80.0.22<\/p>\n<p><strong>SEC-512<\/strong><\/p>\n<p><strong>Summary<br \/><\/strong>Stored-XSS vulnerability in WHM Modify Account interface.<br \/><strong>Security Rating<br \/><\/strong>cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N<br \/><strong>Description<br \/><\/strong>The status messages displayed when modifying a cPanel account in WHM were not adequately escaped. It was possible for the cPanel account to manipulate the content of these status messages. This allowed an attacker to inject arbitrary HTML on the rendered page.<br \/><strong>Credits<br \/><\/strong>This issue was discovered by the cPanel Security Team.<br \/><strong>Solution<br \/><\/strong>This issue is resolved in the following builds:<br \/>11.82.0.2<br \/>11.80.0.22<br \/>11.78.0.34<\/p>\n<p><strong>SEC-514<\/strong><\/p>\n<p><strong>Summary<br \/><\/strong>Reseller package creation ACLs enforced incorrectly.<br \/><strong>Security Rating<br \/><\/strong>cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<br \/><strong>Description<br \/><\/strong>The \u201callow-parkedcreate\u201d and \u201callow-addoncreate\u201d reseller ACLs were not enforced correctly. This allowed a restricted reseller to create packages with parked and addon domain limits exceeding the reseller\u2019s configured limits.<br \/><strong>Credits<br \/><\/strong>This issue was discovered by Edwin F Sturt.<br \/><strong>Solution<br \/><\/strong>This issue is resolved in the following builds:<br \/>11.82.0.2<br \/>11.80.0.22<br \/>11.78.0.34<\/p>\n<p>For the PGP-signed message, please see:&nbsp;<a href=\"http:\/\/news.cpanel.com\/wp-content\/uploads\/2019\/07\/TSR-2019-0004.full_.disclosure.signed.txt\" target=\"_blank\" rel=\"noopener\">TSR-2019-0004 Full Disclosure<\/a><\/p>\n<p> \u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0648 \u0645\u0634\u0627\u0648\u0631\u0647 &#8211; \u062b\u0628\u062a \u062f\u0627\u0645\u0646\u0647<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday&nbsp;cPanel released&nbsp;new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel &amp; WHM product. Below is the full disclosure of the changes included in that update. Information on cPanel\u2019s security ratings is available at&nbsp;https:\/\/go.cpanel.net\/securitylevels. If your deployed cPanel &amp; WHM servers are configured to automatically update &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-12902","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/12902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=12902"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/12902\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=12902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=12902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=12902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}