Jump to content

TSR 2013-0012 Full Disclosure


Recommended Posts

Case 84681


Arbitrary file read for ACL limited reseller accounts via XML-API.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.


The WHM XML and JSON APIs allowed arbitrary files to be read through the “getpkginfo” API call. By sending a crafted input to this call, resellers with the “viewglobalpackages” ACL could read the contents of files accessible only to root.


This issue was discovered by the cPanel Security Team.


This issue is resolved in the following builds: & Greater & Greater & Greater & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

For the PGP-signed message, see TSR-2013-0012-FullDisclosure.

View the full article
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...