{"id":4075,"date":"2018-05-23T19:35:26","date_gmt":"2018-05-23T15:35:26","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=54801"},"modified":"2018-05-23T19:35:26","modified_gmt":"2018-05-23T15:35:26","slug":"cpanel-tsr-2018-0003-full-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2018-0003-full-disclosure\/","title":{"rendered":"cPanel TSR-2018-0003 Full Disclosure"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/05\/cpanel-tsr-2018-0003-full-disclosure.jpg\" class=\"ff-og-image-inserted\" alt=\"\" title=\"\"><\/div>\n<p><strong>cPanel TSR-2018-0003 Full Disclosure<\/strong><\/p>\n<p><strong>SEC-393<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>API tokens retain ACLs that are removed from accounts.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:R\/S:U\/C:H\/I:H\/A:H<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Starting with cPanel &amp; WHM version 68, it became possible to limit the authorizations of a WHM API token to a subset of the ACLs assigned to the reseller account. The logic that implemented this behavior did not restrict API tokens to the ACLs that were currently assigned to the reseller account. This allowed a reseller to retain access to an ACL after the ACL was removed from the reseller\u2019s account.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<\/p>\n<p><strong>SEC-394<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Stored code execution injections in WHM cPAddons interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:U\/C:N\/I:L\/A:L<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The cpaddons_report.pl script escaped user provided data with incorrect escaping functions in several places. This allowed cPanel users to cause unintended actions when the server administrator clicked links in the WHM cPaddons interfaces.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-395<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary file unlink via cPAddons moderation system.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.5 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:C\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When the server administrator approves or denies a moderated cPAddons install, the moderation request file stored in the user\u2019s home directory is removed. The file removal was performed with root privileges and could be misused by a local attacker to delete arbitrary files on the system.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-396<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Email injection in cPAddons moderation.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.6 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:R\/S:U\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The cPAddons moderation script did not adequately validate email addresses provided by the user when handling cPAddons moderation requests. This allowed an attacker to inject arbitrary header data into the moderation response email.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-398<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Remote-Stored XSS in WHM cPAddons installation interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When installing a cPAddon in WHM the output was not properly escaped. This allowed an attacker to execute arbitrary code in the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-399<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Remote-stored XSS in YUM autorepair functionality.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The EasyApache 3 build process attempts an automatic repair of the system\u2019s YUM configuration if it appears broken. While downloading a replacement Yum repo file, error messages generated by the remote server were displayed to the user without context appropriate escaping. This allowed an attacker to insert arbitrary HTML into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-400<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Remote-Stored XSS in WHM Save Theme Interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>During the download of cPanel-provided themes it was possible for attacker to inject arbitrary HTML into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-408<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>ClamAV installation reveals the contents of root\u2019s crontab.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.2 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When installing the ClamAV plugin, cron entries are added to root\u2019s crontab to refresh the ClamAV virus database. This modification used a world-readable temporary file, allowing unprivileged users to read the contents of root\u2019s crontab.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-421<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Self-XSS in WHM Backup Configuration interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The backup destination validation alerts did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<\/p>\n<p><strong>SEC-427<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Cron feature restriction not enforced for API calls.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>cPanel accounts without the \u201cCron\u201d feature were allowed to view and manipulate cron by calling the Cron APIs and adminbins directly.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by rack911labs.com.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-429<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Backup feature restriction not enforced for API calls.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 5.4 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The \u201cbackupwizard\u201d feature was removed from cPanel &amp; WHM because it duplicated the role of the \u201cbackup\u201d feature. When this feature was removed, the API calls that required either of the \u201cbackup\u201d or \u201cbackupwizard\u201d features became accessible to all users.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by rack911labs.com.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-430<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Images feature restriction not enforced for API calls.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The \u201cImages\u201d feature that is used to control visibility of the \u201cImages\u201d icon in the cPanel interface was checked in an incorrect fashion by the API1 functions that perfom image modifications.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-432<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Cpanel Mime::list_hotlinks API feature restriction not enforced.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The Mime::list_hotlinks API did not check the correct feature list item. This allowed users without the appropriate feature to access the API.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p><strong>SEC-435<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary file read in pkgacct custom template handling.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>It was possible to add arbitrary files, normally unreadable by unprivileged users, to a backup created by pkgacct by adding a custom Apache vhost template to unrelated files within the userdata directory.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>70.0.43<br \/>68.0.39<br \/>62.0.47<\/p>\n<p>For the PGP-Signed version of this announcement please see: <a href=\"https:\/\/news.cpanel.com\/wp-content\/uploads\/2018\/05\/TSR-2018-0003.disclosure.signed.txt\" target=\"_blank\" rel=\"noopener\">https:\/\/news.cpanel.com\/wp-content\/uploads\/2018\/05\/TSR-2018-0003.disclosure.signed.txt<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>cPanel TSR-2018-0003 Full Disclosure SEC-393 Summary API tokens retain ACLs that are removed from accounts. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 6.4 CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:R\/S:U\/C:H\/I:H\/A:H Description Starting with cPanel &amp; WHM version 68, it became possible to limit the authorizations of a WHM API token to a subset of the ACLs assigned &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-4075","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/4075","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=4075"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/4075\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=4075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=4075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=4075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}