{"id":5579,"date":"2018-07-19T07:44:29","date_gmt":"2018-07-19T03:44:29","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=55005"},"modified":"2018-07-19T07:44:29","modified_gmt":"2018-07-19T03:44:29","slug":"cpanel-tsr-2018-0004-full-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2018-0004-full-disclosure\/","title":{"rendered":"cPanel TSR-2018-0004 Full Disclosure"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/07\/cpanel-tsr-2018-0004-full-disclosure.jpg\" class=\"ff-og-image-inserted\" alt=\"\" title=\"\"><\/div>\n<p><strong>cPanel TSR-2018-0004 Full Disclosure<\/strong><\/p>\n<p><strong>SEC-367<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Stored-XSS in WHM File Restoration interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Filenames containing AngularJS markup were interpolated into angular-growl format strings. These format strings were then interpolated a second time before being used in growl notifications. This allowed cPanel users to insert XSS payloads into the WHM File Restoration interface.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-416<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Apache configuration injection due to document root variable interpolation.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 5.3 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Subdomain document root paths were allowed with Apache variable interpolation syntax. Under some conditions, malicious cPanel users could misuse this behavior to inject arbitrary Apache directives into the web server\u2019s configuration.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-418<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Insecure storage of phpMyAdmin session files.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.2 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:U\/C:L\/I:L\/A:L<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Due to a misconfiguration of phpMyAdmin\u2019s php.ini file, the \/tmp directory was used for session files storage. Local attackers could misuse this behavior to execute arbitrary code as the shared cpanelphpmyadmin user.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-420<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>SQL injection during database backups.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The cPanel backup process creates temporary data as part of backing up a database. The format of this data was vulnerable to manipulation by the backed up database names. This allowed an attacker to execute arbitrary SQL commands with the root account\u2019s MySQL permissions.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-424<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>File modification as root via faulty HTTP authentication.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:C\/C:N\/I:H\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When logging in via HTTP Basic Authentication, the REMOTE_USER environment variable is set from the username. By inserting null characters into the username, it was possible to truncate the environment variable when it is passed to subprocesses. This allowed local attackers to modify files as the root user.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-425<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Limited file read via password file caching.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.8 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:N\/S:C\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When logging in as a webmail user, cpsrvd reads the password and cache files located in the user\u2019s home directory as root. It was possible to cause this to read arbitrary files on the system and write back a limited amount of data to theuser\u2019s home directory.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-426<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary zonefile modifications allowed during record edits.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The types of DNS zone records that a cPanel user may add, delete, or edit are limited by the feature settings for the account. During zonefile edits, the new type of an edited record was not validated as a permitted record type for the user. This allowed cPanel users with the \u201cchangemx\u201d, \u201csimplezoneedit\u201d, or \u201czoneedit\u201d features to make arbitrary changes to zone files.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-436<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary file read during File Restoration.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 5.9 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:R\/S:C\/C:H\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When using the \u201cFile Restoration\u201d feature on an incremental backup, it incorrectly translated tar escape sequences in filenames. This allowed an attacker to read arbitrary files on the system as root.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-439<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary zonefile modifications due to faulty CAA record handling.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.3 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>cPanel accounts with the \u201czoneedit\u201d feature are allowed to create and modify CAA DNS records. The validator for new CAA records allowed several types of injections that would split a single CAA record entry into multiple DNS records witharbitrary content.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-442<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>File rename vulnerability during account renames.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.2 CVSS:3.0\/AV:L\/AC:L\/PR:H\/UI:N\/S:C\/C:N\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>While renaming cPanel accounts, the security policy data files stored in the user\u2019s home directory were renamed with root permissions. This allowed malicious resellers with the Account Modification privilege to rename arbitrary files on the system.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by rack911labs.com.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<br \/>70.0.53<\/p>\n<p><strong>SEC-443<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Website contents accessible to local attackers through git repos.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 2.9 CVSS:3.0\/AV:L\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:N\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The Git Version Control functionality in cPanel relied on the git binary to create the directories for git repos. The git binary created these directories with very open (0755) permissions, allowing other accounts on the system to examine the contents of the files in the repo. This functionality has been changed to create repo directories with 0700 permissions if the directory does not already exist.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>72.0.10<\/p>\n<p>For the PGP-Signed version of this announcement please see: <a href=\"https:\/\/news.cpanel.com\/wp-content\/uploads\/2018\/07\/TSR-2018-0004.disclosure.signed.txt\" target=\"_blank\" rel=\"noopener\">https:\/\/news.cpanel.com\/wp-content\/uploads\/2018\/07\/TSR-2018-0004.disclosure.signed.txt<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>cPanel TSR-2018-0004 Full Disclosure SEC-367 Summary Stored-XSS in WHM File Restoration interface. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 4.6 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N Description Filenames containing AngularJS markup were interpolated into angular-growl format strings. These format strings were then interpolated a second time before being used in growl notifications. This allowed cPanel users &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-5579","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/5579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=5579"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/5579\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=5579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=5579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=5579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}