{"id":6893,"date":"2018-09-19T00:28:47","date_gmt":"2018-09-18T20:28:47","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=55237"},"modified":"2018-09-19T00:28:47","modified_gmt":"2018-09-18T20:28:47","slug":"cpanel-tsr-2018-0005-full-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cpanel-tsr-2018-0005-full-disclosure\/","title":{"rendered":"cPanel TSR-2018-0005 Full Disclosure"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/09\/cpanel-tsr-2018-0005-full-disclosure.jpg\" class=\"ff-og-image-inserted\" alt=\"\" title=\"\"><\/div>\n<p><strong>cPanel TSR-2018-0005 Full Disclosure<\/strong><\/p>\n<p><strong>SEC-409<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>ClamAV daemon can be shut off by any local user.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:L<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>The userspace socket file for the clamd daemon has open permissions for necessary communication with userspace scanning functionality in cPanel. However, this socket also accepts the SHUTDOWN command which allowed unprivileged users to shut down the ClamAV daemon.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-428<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Self-XSS in WHM \u2018Create a New Account\u2019 interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Errors encountered in the zone template during account creation did not perform context appropriate escaping. This allowed an attacker to inject arbitrary HTML into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-433<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Self-XSS in WHM \u2018Security Questions\u2019 interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:R\/S:U\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>User supplied parameters for the WHM \u2018Security Questions\u2019 interface are displayed without context appropriate escaping. This allowed for an attacker to inject arbitrary code into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-434<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Self-XSS in cPanel \u2018Site Software Moderation\u2019 interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:R\/S:U\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>Certain user supplied parameters displayed as part of the cPanel \u2018Site Software Moderation\u2019 interface are displayed without context appropriate escaping. This allowed an attacker to inject arbitrary code into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-437<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Self-XSS in WHM \u2018Style Upload\u2019 interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.7 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:R\/S:U\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When using the Customization interface in WHM, error messages displaying user-supplied input are rendered without context appropriate escaping. This allowed an attacker to inject arbitrary code into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-441<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Actively stored XSS in WHM \u2018File and Directory Restoration\u2019 interface.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.9 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>During file and directory restoration operations, a cPanel user was able to intercept json-api requests made by the WHM reseller and send back corrupted json-api responses. These corrupted API responses were displayed without appropriate escaping, allowing the cPanel user to insert HTML into the reseller\u2019s web interface.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-444<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Demo account code execution via Fileman::viewfile API.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:L\/A:L<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When calling the Fileman::viewfile API on an RPM file, the rpm utility is called to display information about the file. Arguments are passed incorrectly to the rpm utility. This allowed for a demo account user to run arbitrary code as the demo user.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-445<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Invalid email_accounts.json prevents full account suspension.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:L<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When a user\u2019s email_accounts.json file is corrupted, the suspend script generates an exception. This causes the script to fail before the full suspend process can be completed. A user could take advantage of this in order to prevent full suspension of their account.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-446<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Self-Stored XSS on \u2018Security Questions\u2019 login page.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 4.4 CVSS:3.0\/AV:N\/AC:H\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>A reseller with \u2018all\u2019 privileges can set security questions and answers for verification when logins occur from an unrecognized IP address. These questions and answers are displayed without context appropriate escaping, which allowed an attacker to inject arbitrary code into the rendered page.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by the cPanel Security Team.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-447<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>Arbitrary file write as root in WHM \u2018Force Password Change\u2019.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 7.4 CVSS:3.0\/AV:L\/AC:H\/PR:L\/UI:R\/S:C\/C:L\/I:H\/A:H<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>A recent refactoring in the WHM \u2018Force Password Change\u2019 subsystem caused a user-controlled file to be written to with root\u2019s effective permissions. This allowed an attacker to overwrite arbitrary files on the system.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by rack911labs.com.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p><strong>SEC-449<\/strong><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>FTP access allowed during account suspension.<\/p>\n<p><strong>Security Rating<\/strong><\/p>\n<p>cPanel has assigned this vulnerability a CVSSv3 score of 6.5 CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:N<\/p>\n<p><strong>Description<\/strong><\/p>\n<p>When the system was configured with ProFTPd as the FTP daemon, suspending a cPanel account did not disable FTP access for the account.<\/p>\n<p><strong>Credits<\/strong><\/p>\n<p>This issue was discovered by Harry Li from GoDaddy.<\/p>\n<p><strong>Solution<\/strong><\/p>\n<p>This issue is resolved in the following builds:<br \/>74.0.8<br \/>70.0.57<\/p>\n<p>For the PGP-Signed version of this announcement please see: <a href=\"https:\/\/news.cpanel.com\/wp-content\/uploads\/2018\/09\/TSR-2018-0005.disclosure.signed.txt\" target=\"_blank\" rel=\"noopener\">https:\/\/news.cpanel.com\/wp-content\/uploads\/2018\/09\/TSR-2018-0005.disclosure.signed.txt<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>cPanel TSR-2018-0005 Full Disclosure SEC-409 Summary ClamAV daemon can be shut off by any local user. Security Rating cPanel has assigned this vulnerability a CVSSv3 score of 3.3 CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:L Description The userspace socket file for the clamd daemon has open permissions for necessary communication with userspace scanning functionality in cPanel. However, this socket also accepts &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-6893","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=6893"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6893\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=6893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=6893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=6893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}