Jump to content

TSR 2013-0011 Full Disclosure

Administrator

By Administrator
in CPanel News

 Share

Recommended Posts

Administrator Newbie

Administrator

Posted
Posted

<p>Case 60890</p>

<p>Summary</p>

<p>A reseller with limited privileges is allowed to install SSL virtualhosts on arbitrary IPs.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>A reseller account with ACL permission to install SSL certificates could install certificates and matching virtualhosts on IP addresses that belonged to accounts that did not belong to the reseller. This would allow a malicious reseller account to capture web traffic intended for other accounts on the system.</p>

<p>Credits</p>

<p>These issues were discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.36.2.10 & Greater</p>

<p>The 11.38 and 11.40 releases of cPanel were not vulnerable to this issue due to unrelated changes in the SSL certificate management logic of cPanel & WHM.</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 63541</p>

<p>Summary</p>

<p>Arbitrary code execution via user supplied translatable phrases.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>Authenticated remote cPanel, WHM, and Webmail users have the ability to call API commands appropriate for their access level. Many API commands expand input arguments looking for translatable strings and other variable substitutions. It was found that the Locale::Maketext module, as used in cPanel’s translation system, allowed callers to specify a custom failure handler via a crafted translation. A malicious authenticated user could leverage this flaw to execute arbitrary code with permissions that exceeded their normal access level.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 69517</p>

<p>Summary</p>

<p>World-writable Counter directory allowed arbitrary code execution.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p>

<p>Description</p>

<p>An unnecessary directory at /usr/local/cpanel/share/Counter, installed by the wwwcount RPM provided with cPanel, retained world-writable permissions on some systems. The location of this directory inside of cPanel & WHM’s trusted paths allowed a local attacker to load arbitrary code into cPanel processes under some circumstances.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 71125</p>

<p>Summary</p>

<p>Arbitrary file ownership change via cPanel branding system.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>A bug in the sprite generation code for the branding subsystem changed the ownership of files in paths under the reseller’s control to the reseller’s UID. The change in ownership was performed automatically during the nightly updates while running with the effective UID and GID of root. A malicious reseller account could leverage this flaw to take control of arbitrary files on the system.</p>

<p>Credits</p>

<p>These issues were discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.38.2.13 & Greater</p>

<p>The 11.36 and 11.40 releases of cPanel were not vulnerable to this issue. The vulnerable functionality was introduced in cPanel & WHM’s 11.38 release and fixed due to unrelated changes in the original releases of 11.40.</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 73125</p>

<p>Summary</p>

<p>After multiple security token failures, session credentials were not invalidated.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Minor to this vulnerability.</p>

<p>Description</p>

<p>The security tokens used to prevent XSRF (Cross-Site Request Forgery) attacks were vulnerable to brute-force attempts due to a failure to limit the number of invalid token attempts. An attacker who could make a very large number of XSRF attempts could use this flaw in an attempt to brute force the security token.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 73193</p>

<p>Summary</p>

<p>Unsafe disclosure of security token during session based login.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Minor to this vulnerability.</p>

<p>Description</p>

<p>The URL used to perform logins could return a valid security token with only a valid session identifier supplied instead of a username and password. An attacker with the ability to capture a valid session identifier could use this flaw to acquire a new, valid security token that could be used to authenticate with the captured credentials. Such an attack would additionally invalidate the existing token for that session.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 74333</p>

<p>Summary</p>

<p>The session credentials were disclosed during reseller override logins.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>The session cookie used by a reseller during a reseller override login to a cPanel account was disclosed to the cPanel account via the HTTP_COOKIE environment variable. A malicious local cPanel user could leverage this vulnerability to enter WHM using the reseller’s captured credentials.</p>

<p>Credits</p>

<p>These issues were discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>The 11.40 release of cPanel was not vulnerable to this issue. The vulnerable functionality was fixed due to unrelated changes in the original releases of 11.40.</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 78045</p>

<p>Summary</p>

<p>Stored XSS vulnerability in WHM Daily Process Log screen.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>Output filtering in the WHM Daily Process Log interface did not properly sanitize the names of processes that caused high CPU load. A local attacker could create a process with a high load and a name containing malicious JavaScript intended to execute in the browser of any WHM account that viewed the daily process summary.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 78089</p>

<p>Summary</p>

<p>Password disclosure during forced cPAddons upgrade.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>A root or reseller account performing an upgrade of a cPanel account’s cPAddons Site Software installations directly from WHM disclosed the REMOTE_PASSWORD environmental variable to the cPanel account under some circumstances. The variable was only disclosed when the “cgihidepass” TweakSetting was disabled on the server. By default, this TweakSetting is enabled.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 79277</p>

<p>Summary</p>

<p>Arbitrary file read vulnerability in WHM Edit DNS Zone interface.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Minor to this vulnerability.</p>

<p>Description</p>

<p>The WHM Edit DNS Zone interface allowed parts of arbitrary files to be read through the error message produced when an $include DNS zone directive led to an invalidly-formatted file. With a specially crafted DNS zone entry, resellers with the “edit-dns” ACL could read parts of the contents of files accessible only to root from the output of that error message.</p>

<p>Credits</p>

<p>This issue was discovered by Rack911.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 80113</p>

<p>Summary</p>

<p>cPHulk injection via crafted SSH connections.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p>

<p>Description</p>

<p>cPHulk, a service for preventing brute-force authentication attempts, was vulnerable to a protocol injection attack via specially crafted usernames during SSH authentication. This flaw would allow a remote unauthenticated attacker to block or unblock arbitrary IP addresses and accounts from connecting to all cPHulk-managed services on the system.</p>

<p>Credits</p>

<p>This issue was discovered by an anonymous researcher.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 80633</p>

<p>Summary</p>

<p>Arbitrary file write via X3 countedit.cgi.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>An obsolete version of the countedit.cgi script inside the cPanel X3 theme directory contained a path traversal vulnerability allowing arbitrary files to be written. This script was only executable by cPanel accounts that were configured to use a theme other than X3 or by cPanel accounts configured to use the X3 theme after a clone of the X3 theme was created by the system administrator. The obsolete copies of countedit.cgi and count.cgi inside the X3 theme directory have been removed.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Cases 81373</p>

<p>Summary</p>

<p>Bandmin passwd file stored with world-readable permissions.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Minor to this vulnerability.</p>

<p>Description</p>

<p>The permissions of the Bandmin password file were set to 0644 by default. This allowed any user on the system to read the username and hashed password required to view Bandmin’s stored log data. The password stored in this file was encoded with DES-crypt.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 81377</p>

<p>Summary</p>

<p>Multiple XSS vulnerabilities found in Bandmin.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p>

<p>Description</p>

<p>Multiple output filtering errors in the Bandmin bandwidth log viewer interface allowed JavaScript inputs to be returned to the browser without proper filtering. An attacker who could cause a user with permission to view bandwidth logs to visit a specially crafted URL could execute arbitrary JavaScript code in that user’s browser.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 81429</p>

<p>Summary</p>

<p>URL filtering flaws allowed access to restricted resources.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>Flaws in the path resolution of URLs supplied to cpsrvd with HTTP requests allowed the bypassing of URL based access control checks in the cPanel, WHM, and Webmail interfaces. This allowed, for example, an attacker with credentials for a Webmail virtual account to access phpMyAdmin and phpPgAdmin with the privileges of the cPanel account that owned the Webmail account.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 81641</p>

<p>Summary</p>

<p>Path traversal flaw allows arbitrary code execution for restricted cPanel accounts.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p>

<p>Description</p>

<p>Due to an incorrect ordering of input filters, the UI::dynamicincludelist and UI::includelist cPanel API 2 calls were vulnerable to a path traversal attack. A restricted cPanel account could leverage this flaw to read files or execute arbitrary code that other account restrictions, such as JailShell or demo mode, would normally prevent.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 81885</p>

<p>Summary</p>

<p>Multiple self-XSS vulnerabilities found in cPanel.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Minor to this vulnerability.</p>

<p>Description</p>

<p>Output filtering errors in the Manage Redirection functionality for Addon Domains and Subdomains, as well as the GnuPG Keys interfaces allowed JavaScript inputs to be returned to the browser without proper filtering.</p>

<p>cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize this vulnerability must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.</p>

<p>Credits</p>

<p>These issues were discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 82309</p>

<p>Summary</p>

<p>Insecure storage of Logaholic session files was found.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>Logaholic session files were stored in the world-writable /tmp directory. A local attacker with access to the cPanel Logaholic interfaces could create a session file in this directory with a crafted payload intended to execute arbitrary code as the cpanel-logaholic user as the session was loaded by the Logaholic interfaces inside cPanel. Logaholic now uses a non-world-writable directory for session data, and as a precaution, database caching.</p>

<p>Credits</p>

<p>This issue was discovered by Rack911.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 82725</p>

<p>Summary</p>

<p>XSS vulnerability found in YUI 2.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p>

<p>Description</p>

<p>The uploader.swf file in YUI 2, which is included with cPanel & WHM, is vulnerable to an XSS attack due to insufficient filtering of inputs. This attack has been assigned CVE-2013-6780. All Flash files have been removed from the copy of YUI 2 shipped with cPanel & WHM, as they are unneeded. These files were accessible in the cPanel, WHM, and Webmail interfaces.</p>

<p>Credits</p>

<p>This issue was discovered upstream by a security researcher called @soiaxx.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 82733</p>

<p>Summary</p>

<p>Database grant files stored with world-readable permissions.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Important to this vulnerability.</p>

<p>Description</p>

<p>Changes to the functionality that stores data and cache files resulted in cPanel & WHM’s files for storing database grants becoming world-readable. This flaw allowed all accounts on the system to access the MySQL and PostgreSQL grant statements for other cPanel users on the system. These grant statements contained MySQL and PostgreSQL usernames and hashed passwords.<br />Credits</p>

<p>This issue was discovered by Rack911.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater</p>

<p>The 11.36 release of cPanel was not vulnerable to this issue.</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 83501</p>

<p>Summary</p>

<p>Disallow g in MySQL GRANT statements during account restores.</p>

<p>Security Rating</p>

<p>cPanel has not assigned a Security Level to this issue.</p>

<p>Description</p>

<p>g has been added to the list of disallowed strings for MySQL grant restores. We would like to stress that this does not make restoration of packages from untrusted sources safe.<br />Credits</p>

<p>This issue was reported by Rack911.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>Case 83929</p>

<p>Summary</p>

<p>A cross-account XSRF attack against reseller override logins was possible via goto_uri.</p>

<p>Security Rating</p>

<p>cPanel has assigned a Security Level of Moderate to this vulnerability.</p>

<p>Description</p>

<p>Reseller accounts that log into the cPanel accounts they own using resellers override authentication have the ability to switch back to WHM or switch to the cPanel interfaces for other cPanel accounts they own. This functionality goes through special /xfer URLs inside cpsrvd. The /xfer URLs also permit specifying an optional destination URL on the other side of the switch between accounts and interfaces though a “goto_uri” query parameter. A malicious cPanel user could conduct XSRF attacks against a reseller logged into their account to combine an /xfer to a different account with a goto_uri destination that caused configuration changes inside the other account. This vulnerability has been addressed by limiting use of the goto_uri parameter to account and interface switches where privileges are being lowered.</p>

<p>Credits</p>

<p>This issue was discovered by the cPanel Security Team.</p>

<p>Solution</p>

<p>This issue is resolved in the following builds:</p>

<p>11.40.1.3 & Greater<br />11.40.0.29 & Greater<br />11.38.2.13 & Greater<br />11.36.2.10 & Greater</p>

<p>Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at <a title="http://httpupdate.cpanel.net/" href="http://httpupdate.cpanel.net/" target="_blank">http://httpupdate.cpanel.net/</a></p>

<p>For the PGP-signed message, see <a title="TSR-2013-0011-FullDisclosure" href="http://cpanel.net/wp-content/uploads/2013/12/TSR-2013-0011-FullDisclosure.txt" target="_blank">TSR-2013-0011-FullDisclosure</a>.</p>

View the full article

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...