{"id":13811,"date":"2020-01-22T21:57:11","date_gmt":"2020-01-22T21:57:11","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=57945"},"modified":"2020-01-22T21:57:11","modified_gmt":"2020-01-22T21:57:11","slug":"cpanel-tsr-2020-0001-full-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2020-0001-full-disclosure\/","title":{"rendered":"cPanel TSR-2020-0001 Full Disclosure"},"content":{"rendered":"
\"\"<\/div>\n

SEC-515<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Self-XSS vulnerability via temporary character set specification.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

cPanel & WHM and its APIs allow you to specify a temporary character set to use for HTTP responses. Most interfaces and APIs do not expect to have the character set of their responses changed. This confusion could allow for an attacker to cause the rendering browser to parse and execute code.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45<\/p>\n

SEC-535<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Self-stored XSS vulnerability in HTML file editor.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

The cPanel HTML file editor displays error messages when failing to open a file. These error messages were not adequately encoded. It was possible to manipulate these error messages to include HTML markup that would be rendered by the user\u2019s browser.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45<\/p>\n

SEC-537<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Arbitrary code execution as root via dnsadmin when using PowerDNS.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 8.2 CVSS:3.1\/AV:L\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

The name server configuration logic for PowerDNS allowed additional positional parameters to be injected when calling the pdns_control command. By injecting malicious data into these parameters, it was possible for a malicious reseller with the clustering ACL to execute arbitrary code on the system.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45<\/p>\n

SEC-541<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Feature and demo restrictions not enforced for WebDisk UAPI calls.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

Refactoring of the feature and demo access restriction code removed enforcement of these restrictions on all WebDisk UAPI calls.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45<\/p>\n

SEC-542<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Demo checks enforced incorrectly in Market UAPI namespace.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

The API calls available in the Market UAPI namespace did not limit the actions of demo accounts properly.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45<\/p>\n

SEC-543<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Demo account file modifications through Branding API calls.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.8 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

Restrictions on demo accounts for several Branding API1 and API2 calls were not properly enforced. In some configurations this allowed demo accounts to read and write arbitrary files on the system.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45<\/p>\n

SEC-544<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Demo account remote code execution via cpsrvd rsync shell.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 8.3 CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:L<\/p>\n

Description<\/strong><\/p>\n

The cPanel server includes rsync remote file transfer functionality. The access controls limiting demo account usage of this functionality was ineffective. This could be abused by a demo account user to execute arbitrary code on the server.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20<\/p>\n

SEC-545<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Root remote code execution for resellers via cpsrvd rsync shell.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 9.1 CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n

Description<\/strong><\/p>\n

The cPanel server includes rsync remote file transfer functionality. The access controls limiting reseller usage of this functionality was ineffective. This could be abused by any reseller to execute arbitrary code as the root account.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20<\/p>\n

SEC-546<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Demo account code execution via PassengerApps APIs.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 8.3 CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:L<\/p>\n

Description<\/strong><\/p>\n

When registering a Passenger application, the \u2018ensure_deps\u2019 API will install dependencies according to a configuration file within the application directory. Demo accounts were not restricted from invoking this API call, allowing the execution of arbitrary code on the server.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45<\/p>\n

SEC-547<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Arbitrary file deletion for Webmail and Demo accounts.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:L<\/p>\n

Description<\/strong><\/p>\n

Functionality intended to handle JSON POST data submitted in HTTP requests did not apply input filtering required to distinguish file uploads from other form parameters. A malicious webmail or demo account could misuse this behavior to delete files on the system.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
11.84.0.20
11.78.0.45<\/p>\n

For the PGP-signed message, please see: https:\/\/news.cpanel.com\/wp-content\/uploads\/2020\/01\/TSR-2020-0001.disclosure.signed.txt.<\/a><\/p>\n

\u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0648 \u0645\u0634\u0627\u0648\u0631\u0647 – \u062b\u0628\u062a \u062f\u0627\u0645\u0646\u0647<\/p>\n","protected":false},"excerpt":{"rendered":"

SEC-515 Summary Self-XSS vulnerability via temporary character set specification. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N Description cPanel & WHM and its APIs allow you to specify a temporary character set to use for HTTP responses. Most interfaces and APIs do not expect to have the character set of …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-13811","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/13811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=13811"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/13811\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=13811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=13811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=13811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}