{"id":2213,"date":"2017-12-24T12:02:49","date_gmt":"2017-12-24T09:02:49","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=54361"},"modified":"2017-12-24T12:02:49","modified_gmt":"2017-12-24T09:02:49","slug":"cpanel-tsr-2017-0006-full-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2017-0006-full-disclosure\/","title":{"rendered":"cPanel TSR-2017-0006 Full Disclosure"},"content":{"rendered":"<p><strong>cPanel TSR-2017-0006 Full Disclosure<\/strong><\/p>\n<p><strong>SEC-306<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Unreserved email address used in DNS zone SOA records.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When a contact email address for the system was not configured, the default RNAME value in DNS zone SOA records was set to an unreserved account name. This account name is now reserved and \u201croot\u201d is used as the default for new zones.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-309<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Home directory backups written to incorrect location.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 7.8 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>A remote backup mount that became temporarily unresponsive could cause the user home directory backup to be written to the current directory when the backup system was configured to use incremental backups.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-310<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Jailed accounts could restore files that are outside the jail.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>A jailed cPanel account could create files in their home directory that the backup process would follow outside of the jailshell, allowing restricted files to be copied into the backup.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-311<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Unprivileged users can access restricted directories during account restores.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:U\/C:H\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>During the account restore process, under some circumstances, root changes the current directory to the user\u2019s home directory. A malicious user could abuse this behavior to access restricted directories.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-313<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary code execution via Maketext injection in PostgresAdmin.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Under certain error conditions it was possible to inject user-supplied input into Maketext format string during PostgreSQL database creation, allowing arbitrary code execution as root.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-314<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary code execution via Maketext injection in Reseller style upload.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 8.0 CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When a reseller uploads a custom style tarball, the list of files included in the tarball are checked for invalid filenames. If this validation fails, the offending filename is used as part of a Locale::Maketext format string. By crafting a malicious tarball, it was possible for a reseller to execute arbitrary code as root.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-315<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Jailshell fails to set umask before peforming sensitive file operations.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The jailshell and jailexec binaries failed to set the umask() before performing sensitive operations during the jail setup. This behavior was exploitable to run arbitrary code as root or read secret files.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-318<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>String format injection vulnerability in dovecot-xaps-plugin.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 6.0 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:N\/S:C\/C:L\/I:L\/A:L<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The cPanel patches to the dovecot-xaps-plugin add an additonal call to the i_info() function to generate dovecot log messages. This function behaves in a similar manner to printf(). Rather than specifying a format string as a first argument, we pass in user controllable data. This allowed for the user to pass in arbitrary format strings, resulting in reading of arbitrary memory and code execution.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<\/p>\n<p><strong>SEC-322<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Code execution as root due to loose permissions on incremental backups.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>During an incremental backup, the user account had access to the homedir directory inside the account\u2019s backup directory. This allowed the user to execute files that had switched to root ownership during the backup process.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-323<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Backup files are briefly world-readable.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When creating backup archive files there was a small window where the permissions of the archives would be world-readable. This allowed for unprivileged users to copy the contents of other user\u2019s backups.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-325<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>PostgreSQL databases assigned to multiple accounts caused collisions.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:R\/S:U\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>A refactoring error opened the possibility of two different cPanel accounts being assigned ownership of a PostgreSQL database when they attempted to create it at the same time. Ownership is now assigned only to the account that successfully created the database.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<\/p>\n<p><strong>SEC-326<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Add \u2018postmaster\u2019 to the list of reserved usernames.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>It was possible to intercept certain emails intended to be delivered to root by creating an account with the \u2018postmaster\u2019 username. This account name has been added to the reserved usernames list.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-327<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Expand the list of reserved usernames.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The server contract email address for accounts uses the webmaster username which was not restricted for account creation. This could lead to a reseller intercepting emails intended to be delivered to other accounts. All email aliases listed in \/etc\/aliases and \/etc\/localaliases are now reserved usernames.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-328<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Add \u2018ssl\u2019 to the list of reserved usernames.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.4 CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When creating SSL certificates, \u2018ssl@hostname\u2019 is used as the contact email in the certificate. The \u2018ssl\u2019 username was not reserved, allowing resellers to intercept emails sent to this address. The \u2018ssl\u2019 username is now disallowed for account creation.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-329<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary file read via Exim vdomainaliases.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When processing the vdomainaliases file for a domain, Exim was running as the root user. An attacker could leverage this behavior to read the contents of arbitrary files on the system.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-330<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Preserve permissions for local backup transport.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When copying backup files using the \u2018Additional local directory\u2019 backup transport, the original backup file permissions were not preserved. This allowed backup files to be created with world-readable permissions.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by Rack911labs.com.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-331<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>DnsUtils allows zone creation on hostname and account subdomains.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.8 CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When adding a DNS zone, Cpanel::DnsUtils::doadddns() did not check to ensure that the added domain is not the hostname or a subdomain of domain belonging to another user. This allowed a reseller to intercept potentially sensitive information.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by Rack911labs.com.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-332<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Root crontab visible when enabling or disabling sqloptimizer.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When enabling or disabling the sqloptimizer feature root\u2019s crontab was briefly exposed to unprivileged users.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-333<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Local root code execution via cpdavd.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 8.8 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Under certain circumstances, when cpdavd processes requests, the service will attempt to lazy load Perl modules for various functionality. If this is done after cpdavd changed the root directory, it was possible for an attacker to execute arbitrary code as the root user.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-334<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>User accounts partially created with invalid username formats.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:R\/S:C\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Attempting to transfer, restore, or rearrange a cPanel account with a username composed entirely of numbers and symbols could result in partial account creation and cause mail delivery to run as the wrong user. Usernames in this format are now prohibited, along with usernames containing uppercase characters.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-336<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Stored-XSS vulnerability via cpaddons moderated upgrade.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:C\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>It is possible to coerce a cPAddon upgrade to occur when an install was intended via the moderated installs feature of cPAddons. When obsolete files are removed from the installation, a file listing isgiven. These file names were not adequately encoded in the listed output. This allowed for an attacker to inject arbitrary code into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-337<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Code execution as \u2018nobody\u2019 account via Mailman archives.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:L\/A:L<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Accounts created with the \u2018mbox\u2019 TLD could collide with other domains in the Mailman archive directories. This allowed the creation of files with restricted file extensions, and code execution as the webserver user.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-341<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Domain data can be deleted for domains with \u2018lock\u2019 TLD.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.1 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Domains that use the \u2018lock\u2019 TLD conflict with the standard naming scheme for cPanel \u2018safelock\u2019 files. This behavior allowed attackers to delete domain-named files in some limited circumstances.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p><strong>SEC-345<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary file read in backup htaccess modification logic.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>On systems configured with EasyApache 4, the htaccess files of accounts are modified in the backup to remove the PHP handler settings. The method used to perform these modifications was vulnerable to time-of-check-time-of-use attacks that could be used to store arbitrary files into the user\u2019s backup tarball.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>68.0.15<br \/>66.0.34<br \/>64.0.42<br \/>62.0.35<\/p>\n<p>For the PGP-Signed version of this announcement please see: <a href=\"https:\/\/news.cpanel.com\/wp-content\/uploads\/2017\/11\/TSR-2017-0006.disclosure.signed.txt\" target=\"_blank\" rel=\"noopener\">https:\/\/news.cpanel.com\/wp-content\/uploads\/2017\/11\/TSR-2017-0006.disclosure.signed.txt<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>cPanel TSR-2017-0006 Full Disclosure SEC-306 Summary Unreserved email address used in DNS zone SOA records. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.0 CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:R\/S:U\/C:L\/I:N\/A:N Description When a contact email address for the system was not configured, the default RNAME value in DNS zone SOA records was set to an unreserved account &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-2213","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/2213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=2213"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/2213\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=2213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=2213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=2213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}