Administrator Posted December 23, 2013 Share Posted December 23, 2013 Case 84681 Summary Arbitrary file read for ACL limited reseller accounts via XML-API. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM XML and JSON APIs allowed arbitrary files to be read through the “getpkginfo” API call. By sending a crafted input to this call, resellers with the “viewglobalpackages” ACL could read the contents of files accessible only to root. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 18.104.22.168 & Greater22.214.171.124 & Greater126.96.36.199 & Greater188.8.131.52 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/ For the PGP-signed message, see TSR-2013-0012-FullDisclosure. View the full article Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now