{"id":13355,"date":"2019-11-20T15:08:27","date_gmt":"2019-11-20T15:08:27","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=57769"},"modified":"2019-11-20T15:08:27","modified_gmt":"2019-11-20T15:08:27","slug":"cpanel-tsr-2019-0006-full-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2019-0006-full-disclosure\/","title":{"rendered":"cPanel TSR-2019-0006 Full Disclosure"},"content":{"rendered":"
\"\"<\/div>\n

SEC-499<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Authentication bypass due to variations in webmail username handling.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

The process used to normalize and validate webmail account names was not consistent across different authentication subsystems. Because of these discrepancies, authenticated cPanel users could gain access to other cPanel and Webmail accounts on the system.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43<\/p>\n

SEC-508<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Account suspension bypass via virtual mail accounts.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

The authentication logic for some subsystems relied entirely on data stored in the cPanel account\u2019s home directory for the enforcement of account suspensions. A cPanel user could take advantage of this behavior to retain access to virtual email accounts after the user\u2019s system account was suspended.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43<\/p>\n

SEC-516<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Authentication bypass due to faulty password file format parsing.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

The functions in cPanel & WHM that handled password and shadow file lookups did not enforce the constraints of this file format. This behavior could be misused by authenticated attackers to gain access to other accounts on the system.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43<\/p>\n

SEC-520<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Self-XSS due to faulty JSON string escaping.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.7 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

The escaping method used for some JSON string interpolation in cPanel & WHM interface templates did not escape all possible character combinations unambiguously.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43<\/p>\n

SEC-525<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Cpanel::Rand::Get can produce predictable output.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

When the \/dev\/urandom device is not initialized, Cpanel::Rand::Get initializes Perl\u2019s random number generation with data from the server\u2019s environment. This data could be predictable and when used as a seed, could cause predictable random numbers to be generated.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43<\/p>\n

SEC-531<\/strong><\/p>\n

Summary<\/strong><\/p>\n

MySQL dump streaming allowed reading all databases.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 6.5 CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

The MySQL database dump streaming functionality passed database names to the mysqldump binary in an ambiguous fashion. An authenticated attacker could misuse this behavior to read all databases on the system.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18<\/p>\n

SEC-532<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Root chown on arbitrary paths in cPanel log processing.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.6 CVSS:3.1\/AV:L\/AC:H\/PR:L\/UI:N\/S:C\/C:H\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

When processing logs to calculate bandwidth, symlinks to the processed logs are created in the user\u2019s home directory. An attacker can intercept this process to cause the ownership of an arbitrary file to be changed to the attacking user.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43<\/p>\n

SEC-533<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Stored XSS Vulnerability in WHM Backup Restoration.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.4 CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

Error messages displayed in the WHM Backup Restoration interface were not adequately encoded. Due to this, it was possible for an attacker to inject arbitrary code into the rendered page.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43<\/p>\n

SEC-534<\/strong><\/p>\n

Summary<\/strong><\/p>\n

WebDAV authentication bypass due to faulty connection sharing logic.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3.1 score of 7.5 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

Client authentication was not validated correctly when multiple WebDAV clients connected to the cpdavd daemon through a proxy server. Subsequent requests in a keepalive connection could inherit the authentication of prior requests.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by Martin Rouf.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.10
11.82.0.18
11.78.0.43<\/p>\n

For the PGP-signed message, please see: https:\/\/news.cpanel.com\/wp-content\/uploads\/2019\/11\/TSR-2019-0006.disclosure.signed.txt.<\/a><\/p>\n

\u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0648 \u0645\u0634\u0627\u0648\u0631\u0647 – \u062b\u0628\u062a \u062f\u0627\u0645\u0646\u0647<\/p>\n","protected":false},"excerpt":{"rendered":"

SEC-499 Summary Authentication bypass due to variations in webmail username handling. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H Description The process used to normalize and validate webmail account names was not consistent across different authentication subsystems. Because of these discrepancies, authenticated cPanel users could gain access to other cPanel …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-13355","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/13355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=13355"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/13355\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=13355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=13355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=13355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}