cPanel TSR-2016-0006 Full Disclosure


cPanel TSR-2016-0006 Full Disclosure

SEC-158

Summary

Arbitrary file overwrite when account domain is modified.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

Description

When an account’s domain name is modified, changes to the .htaccess file were performed as root. It was possible to take advantage of this in order to overwrite arbitrary files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
11.54.0.33

SEC-159

Summary

Stored XSS in WHM Repair Mailbox Permissions interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

The output of the mailperm script that repairs permissions of mailbox related files did not properly escape file and directory names.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-160

Summary

Stored XSS Vulnerability in the WHM Manage cPAddons interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

The cpaddons_report.cgi script was not properly escaping output when performing cPAddons management operations in WHM.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
11.54.0.33

SEC-161

Summary

File overwrite during preparation for MySQL upgrades.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:N/I:C/A:N)

Description

Before performing a MySQL upgrade the existing my.cnf is checked and updated with new values if needed. During this process it was possible for an unprivileged user to overwrite existing files. Now the handling of the my.cnf file is done in a secure directory to prevent any tampering.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-162

Summary

Open redirect via /cgi-sys/FormMail-clone.cgi.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description

There was an open redirect in the missing_fields_redirect parameter in FormMail-clone.cgi.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-164

Summary

Arbitrary file overwrites when updating Roundcube.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:N/I:C/A:N)

Description

When updating Roundcube, file operations are performed in the user’s home directory as root. It was possible to take advantage of this in order to overwrite arbitrary files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-165

Summary

File create and chmod via ModSecurity Audit logfile processing.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

The archiving and removal of per-user ModSecurity audit records was not assuring that the user’s directory was the correct type and ownership. This allowed creating files and changing the permissions of files as the target user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-168

Summary

Enforce feature list restrictions when calling the multilang adminbin.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 1.7 (AV:L/AC:L/Au:S/C:N/I:P/A:N)

Description

The multilang adminbin did not check if the calling user had the multilang feature enabled.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-169

Summary

Arbitrary code execution for ACL limited resellers during account creation.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

A flaw in the new account creation process resulted the Ruby ‘gem’ command running with the effective UID of the newly created user and the real UID of root. A malicious reseller account could leverage this flaw to execute arbitrary Ruby code with root’s UID during the account creation process.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.37
11.56.0.39

SEC-171

Summary

Format string injection in exception message handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

Description

The error messages generated by adminbin failures were passed through Locale::Maketext multiple times. This caused user-supplied data to be used as a format string.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25

SEC-172

Summary

Self XSS Vulnerability in the tail_ea4_migration.cgi interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

The error output in the interface of the EasyApache 4 migration log in WHM was not properly encoded. This allowed an attacker to execute arbitrary code on the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25

SEC-173

Summary

Arbitrary file chown via reassign_post_terminate_cruft.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:C/I:N/A:N)

Description

The reassign_post_terminate_cruft script did not adequately prevent changes being made to directories it is operating on. This allowed for an attacker to change the ownership of an arbitrary file.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-174

Summary

Stored XSS in homedir removal during WHM Account termination.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

During account termination within WHM the error output during home directory removal was not encoded correctly.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-175

Summary

Stored XSS in MySQL database names during WHM Account termination.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

The output of MySQL database names were not properly escaped during the account termination process.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
11.54.0.33

SEC-176

Summary

Stored XSS in perlinstaller directory removal in WHM Account Termination.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

During the account termination within WHM the error output during the perlinstaller directory removal was not encoded correctly.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.58.0.37
11.56.0.39
11.54.0.33

SEC-177

Summary

Self-XSS Vulnerability in WHM Tweak Settings for autodiscover_host.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

The WHM Tweak Settings interface for the the autodiscover_host configuration value can produce an error message that was not adequately encoded. This could allow an attacker to execute arbitrary code on the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-178

Summary

Self-Stored XSS Vulnerability in listftpstable API.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

The listftpstable API call did not adequately encode the FTP account’s home directory. This allowed an attacker to inject arbitrary code into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-179

Summary

Stored XSS in api1_listautoresponders.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

In custom themes, a call to api1_listautoresponders could produce output provided by an attacker via Webmail to the cPanel user that was not properly encoded.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-180

Summary

Self-XSS Vulnerability in UI_confirm API.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The UI_confirm API call did not adequately encode form element names. This allowed for an attacker to inject arbitrary code into the rendered page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-181

Summary

Self-Stored XSS in postgres API1 listdbs.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Database names were not properly HTML encoded when listed by the Postgres listdbs api1 call.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-182

Summary

Self-Stored XSS in SSL_listkeys.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

In a deprecated API1 call to list SSL keys content could be printed out that was not properly encoded.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-184

Summary

Self-XSS in alias upload interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

An improperly named alias backup file uploaded to cPanel could produce an error message that was not properly encoded.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-185

Summary

Sensitive file contents revealed during file copy operations.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The Cpanel::FileUtils::Copy::safecopy() function did not preserve the source file’s permissions during copy operations. This allowed other users to read sensitive files while the file copy was taking place.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-186

Summary

Apache SSL keys readable by the nobody group.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description

Apache SSL private key files were readable by the nobody group. This allowed unprivileged users to read the keys under certain Apache configurations.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-187

Summary

Host Access Control improperly handles action-less host.deny entries.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

Description

Manually added entries to /etc/hosts.deny without an action specified were converted to allow action when the Host Access Control Page in WHM was used.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-188

Summary

Arbitrary code execution via Maketext in PostgreSQL adminbin.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

In an error condition, the PostgreSQL adminbin passed user controlled text as part of a Locale::Maketext format string. By triggering an error in an SQL query used by the adminbin, it was possible to execute arbitrary code as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-191

Summary

Code execution via cpsrvd 403 response handler.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

Description

In some error conditions, cpsrvd used the requested filename in a Locale::Maketext format string while generating 403 responses.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

SEC-192

Summary

HTTP POST to listinput.cpanel.net does not use TLS.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Description

subscribe_to_mailing_list did not use HTTPS which could have allowed the leaking of email addresses.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.60.0.25
11.58.0.37
11.56.0.39
11.54.0.33

For the PGP-Signed version of this disclosure please visit https://news.cpanel.com/wp-content/uploads/2016/11/TSR-2016-0006.disclosure.txt



source_link
news.cpanel.com