cPanel TSR-2016-0001 Full Disclosure

SEC-46

Summary

Arbitrary code execution via unsafe @INC path.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

Description

The Perl scripts that collectively make up the cPanel & WHM product were not uniformly filtering the current working directory ‘.’ from Perl’s module library load path (@INC). Under some circumstances, this allowed an attacker with the ability to modify the contents of the working directory to run arbitrary code as the user who executes the script.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-69

Summary

Limited arbitrary file modification during account modification.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

During account modification, file changes were performed as the root user inside the cPanel account’s home directory. By creating a symbolic link in certain locations, an attacker was able to modify arbitrary files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.52.2.4

11.50.4.3

11.48.5.2

SEC-70

Summary

Arbitrary file read via bin/fmq script.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:H/Au:S/C:C/I:N/A:N)

Description

The bin/fmq script performed unsafe file operations within a user’s home directory. By creating a symlink to an arbitrary file, an attacker was able read otherwise inaccessible files.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-71

Summary

SQL injection vulnerability in bin/horde_update_usernames.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.6 (AV:N/AC:H/Au:S/C:P/I:P/A:N)

Description

The bin/horde_update_usernames script performed SQL queries without the adequate escaping of untrusted data. This allowed the injection of arbitrary SQL statements.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-72

Summary

Arbitrary code execution vulnerability during locale duplication.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Description

During the execution of locale_duplicate.cgi, temporary files were created in an unsafe manner. By careful manipulation of the temporary files, an attacker could inject and execute arbitrary shell commands.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-73

Summary

Password hashes revealed by bin/mkvhostspasswd script.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The bin/mkvhostspasswd script creates a temporary working file while updating the passwd.vhosts file. The permissions on this temporary file were in an insecure state momentarily. This allowed an attacker to read the file’s contents.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-74

Summary

Limited arbitrary file read in bin/setup_global_spam_filter.pl.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description

The bin/setup_global_spam_filter.pl script performed unsafe file operations in the home directory of the cPanel accounts as the root user. By manipulating the input files, an attacker was able to view the content of arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-76

Summary

Code execution as shared users via JSON-API.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)

Description

The cPanel URL dispatch logic for JSON and XML API calls allowed cPanel and Webmail accounts to call API commands while running with the privileges of shared user accounts.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-77

Summary

Password hash revealed by chcpass script.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The scripts/chcpass script allowed the crypted form of a user’s password stored in the /etc/shadow file to be updated. It took the crypted password as a command line argument, exposing this information to other users on the system. This code was not actively used by the cPanel & WHM product and has been removed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-78

Summary

Arbitrary file overwrite in scripts/check_system_storable.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

By default, the check_system_storable script created a predictable .tmp file in an insecure location. This allowed an attacker to overwrite arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-79

Summary

Arbitrary file chown/chmod during Roundcube database conversions.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 5.9 (AV:A/AC:H/Au:S/C:C/I:C/A:N)

Description

During the MySQL to SQLite database conversion process for Roundcube, a chown and chmod was performed as the root user within a user-writable directory. This allowed an attacker to gain control of arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-80

Summary

Arbitrary file read and write via scripts/fixmailboxpath.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 7.5 (AV:N/AC:L/Au:S/C:C/I:P/A:N)

Description

The fixmailboxpath script performed file read and write operations as root inside the cPanel users’ home directories.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-81

Summary

Arbitrary file overwrite in scripts/quotacheck.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)

Description

The quotacheck script performed reads and writes of files in cPanel users’ home directories while running as the root user. This allowed an attacker to overwrite arbitrary files on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-82

Summary

Limited arbitrary file chmod in scripts/secureit.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

During the cPanel installation process, the secureit script searches the /usr/ directory for setuid and setgid files. After filtering this list, it removes the setuid and setgid bits from any remaining files. The filtering logic did not account for the world-writable ModSecurity audit log directory, which allowed an attacker to remove the setuid and setgid bits from arbitrary files or folders on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-83

Summary

Arbitrary code execution via scripts/synccpaddonswithsqlhost.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

Description

Unsafe file operations within a user’s home directory in combination with a string eval allowed an attacker to execute arbitrary code as root when the synccpaddonswithsqlhost script was executed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-84

Summary

Self-XSS in WHM PHP Configuration editor interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

The SMTP field was not sufficiently escaped when displayed on the WHM PHP Configuration editor output in Advanced Mode.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-85

Summary

Missing ACL enforcement in AppConfig subsystem.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

AppConfig did not perform proper ACL or feature list checks when a “user” was not specified or the “dynamic_user” functionality was used. In these circumstances a user could access the app regardless of any ACLs or feature requirements.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-86

Summary

Stored XSS in WHM Feature Manager interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

Package names were not sufficiently escaped when displayed on the WHM Feature Manager interface.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

SEC-87

Summary

Self-XSS in X3 Entropy Banner interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I/A:N)

Description

The “link” variable was not sufficiently escaped when displayed on the changelink.html page in the X3 Entropy Banner interfaces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

SEC-91

Summary

Unauthenticated arbitrary code execution via cpsrvd.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Description

cPanel & WHM’s internal web server, cpsrvd, did not correctly filter the request URI when processing incoming requests. Due to this, it was possible for an unauthenticated attacker to read arbitrary files and execute arbitrary scripts.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.54.0.4

11.52.2.4

11.50.4.3

11.48.5.2

For the PGP Signed version of this disclosure please visit https://news.cpanel.com/wp-content/uploads/2016/01/TSR-2016-0001-Disclosure.txt