Jump to content

TSR 2013-0012 Full Disclosure


Administrator
 Share

Recommended Posts

Case 84681

Summary

Arbitrary file read for ACL limited reseller accounts via XML-API.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The WHM XML and JSON APIs allowed arbitrary files to be read through the “getpkginfo” API call. By sending a crafted input to this call, resellers with the “viewglobalpackages” ACL could read the contents of files accessible only to root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.7 & Greater
11.40.0.31 & Greater
11.38.2.15 & Greater
11.36.2.12 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

For the PGP-signed message, see TSR-2013-0012-FullDisclosure.



View the full article
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...