{"id":2772,"date":"2018-01-24T12:47:22","date_gmt":"2018-01-24T09:47:22","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=54521"},"modified":"2018-01-24T12:47:22","modified_gmt":"2018-01-24T09:47:22","slug":"cpanel-tsr-2018-0001-full-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2018-0001-full-disclosure\/","title":{"rendered":"cPanel TSR-2018-0001 Full Disclosure"},"content":{"rendered":"
\"\"<\/div>\n

cPanel TSR-2018-0001 Full Disclosure<\/strong><\/p>\n

SEC-308<\/strong><\/p>\n

Summary<\/strong><\/p>\n

SRS secret revealed in exim.conf.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

When the experimental SRS option for Exim was enabled, the secret key used to sign SRS email was visible inside the exim.conf file. This setting is now stored in a separate file that is not world-readable.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-321<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Database and dbuser names were not validated during renames.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

When renaming a database or database user via either the MySQL or PostgreSQL adminbins, the new name was not verified to meet cPanel\u2019s naming requirements. This allowed an attacker to create databases or database users with reserved or invalid names.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-324<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Ownership not enforced by addpkgext and delpkgext WHM API calls.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 2.7 CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

The \u201caddpkgext\u201d and \u201cdelpkgext\u201d WHM API calls did not restrict modifications to packages and accounts that the reseller was authorized to change. These API calls now restrict modifications based on package and account ownership if the reseller does not have the \u201call\u201d ACL.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27<\/p>\n

SEC-339<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Backups revealed contents of directories that the user did not own.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:C\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

During a backup it was possible to lead the process into directories that the user did not own. The file and directory paths would then be saved to a file that was readable by the user.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-342<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Root\u2019s crontab briefly world-readable when enabling backups.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

When enabling backups, it is sometimes necessary to add new entries to root\u2019s crontab. To perform this change, a temporary file was created with a predictable name and world-readable permissions. This allowed the crontab to be read by normal users during this action.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-349<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Arbitrary file read via restore adminbin.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

Race conditions in the RESTOREFILE functionality of the restore adminbin could be misused by local attackers to read any files on the system.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27<\/p>\n

SEC-351<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Root\u2019s crontab briefly world-readable during crontab configuration.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

When saving changes to root\u2019s crontab through the \u201cConfigure cPanel Cron Jobs\u201d interface in WHM, a temporary file containing root\u2019s crontab was created with world-readable permissions.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by rack911labs.com.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-352<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Root\u2019s crontab briefly world-readable during post update tasks.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

During cPanel updates, root\u2019s crontab was exposed in a world-readable temporary file by the post install task to update cPAddons.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by rack911labs.com.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-353<\/strong><\/p>\n

Summary<\/strong><\/p>\n

World-readable copy of httpd.conf created during syntax test.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

During httpd.conf updates on systems using EasyApache4, a copy of the httpd.conf file was created with world-readable permissions.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by rack911labs.com.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-354<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Insecure file operations in bin\/csvprocess.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:U\/C:N\/I:H\/A:N<\/p>\n

Description<\/strong><\/p>\n

The csvprocess script performed file operations on predictably named files in the current working directory. If this script was run by the root user in a user-controlled directory, it was possible for an attacker to cause root owned files to be overwritten. This script has been removed and its functionality moved into the API call that previously utilized this script.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by rack911labs.com.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-355<\/strong><\/p>\n

Summary<\/strong><\/p>\n

World-readable archive created by archive_sync_zones script.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

When scripts\/archive_sync_zones generated a backup file, the resulting archive was created with world-readable permissions.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by rack911labs.com.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-356<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Limited arbitrary file write via telnetcrt script.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:U\/C:N\/I:H\/A:N<\/p>\n

Description<\/strong><\/p>\n

The telnetcrt script attempted to change directory to a safe location to write temporary files without verifying the directory existed or that the change of directory was successful. If this script was run manually in a world-writable directory, a local attacker could symlink the temporary filenames to unsafe locations. This script is no longer used by cPanel and has been removed.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by rack911labs.com.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-383<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Self-XSS in cPanel Backup Restoration.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

When rendering the list of files that are restored from a partial backup, appropriate HTML escaping was not performed. This allowed arbitrary code to be injected into the rendered page.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by Fabian Patrik of https:\/\/websafe.hu.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-385<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Self-XSS in WHM Apache Configuration Include Editor.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

When rendering invalid syntax after saving new Apache includes, the context appropriate escaping was not performed. This allowed arbitrary code to be injected into the rendered page.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by Fabian Patrik of https:\/\/websafe.hu.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-386<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Self-Stored-XSS in WHM Account Transfer.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

Account usernames were not properly HTML escaped in the transfer log header when using the Remote User Account Transfer interface in WHM. This allowed arbitrary code to be injected into the rendered page.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by Fabian Patrik of https:\/\/websafe.hu.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-387<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Self-XSS in WHM Spamd Startup Config.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

When saving spamd directives in WHM Spamd Startup Config, invalid configuration values were displayed without appropriate HTML escaping. This allowed arbitrary code to be injected into the rendered page.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by Fabian Patrik of https:\/\/websafe.hu.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-388<\/strong><\/p>\n

Summary<\/strong><\/p>\n

World-readable files created when using WHM Apache Includes Editor.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n

Description<\/strong><\/p>\n

When modifying the Apache Includes via the WHM Apache Includes Editor, the new configuration is created with world-readable permissions. This allowed for this configuration to be viewed by non-privileged users.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

SEC-389<\/strong><\/p>\n

Summary<\/strong><\/p>\n

Self-XSS in WHM listips interface.<\/p>\n

Security Rating<\/strong><\/p>\n

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n

Description<\/strong><\/p>\n

The WHM \/scripts2\/listips interface did not escape user input and backend error messages when displaying javascript notices.<\/p>\n

Credits<\/strong><\/p>\n

This issue was discovered by the cPanel Security Team.<\/p>\n

Solution<\/strong><\/p>\n

This issue is resolved in the following builds:
68.0.27
66.0.35
62.0.39<\/p>\n

For the PGP-Signed version of this announcement please see: https:\/\/news.cpanel.com\/wp-content\/uploads\/2018\/01\/TSR-2018-0001.disclosure.signed.txt<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

cPanel TSR-2018-0001 Full Disclosure SEC-308 Summary SRS secret revealed in exim.conf. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N Description When the experimental SRS option for Exim was enabled, the secret key used to sign SRS email was visible inside the exim.conf file. This setting is now stored in a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-2772","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/2772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=2772"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/2772\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=2772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=2772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=2772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}