Administrator Posted March 31, 2014 Share Posted March 31, 2014 cPanel TSR 2014-0003 Full Disclosure Case 85329 Summary Sensitive information disclosed via multiple log files. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Several log files on cPanel & WHM systems were created with default world-readable permissions. These log files include both sensitive internal data such as stack traces and less sensitive information about the existence of other accounts and domains on the system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 86337 Summary Injection of arbitrary DNS zonefile contents via cPanel DNS zone editors. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The cPanel interface provides restricted interfaces for modifying aspects of the DNS zones that belong to a cPanel account. A malicious cPanel account could use crafted inputs to the simple and advanced DNS zone editor interfaces to rewrite parts of the zone files that they are normally restricted from editing. With some inputs, this could disclose the contents of sensitive files on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 86465 Summary Insufficient ACL checks in WHM Modify Account interface. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Within WHM’s “Modify Account” interface and associated xml-api commands, several settings for cPanel accounts could be altered with the “edit-account” reseller ACL rather than the more restrictive “all” ACL that is required in the dedicated interfaces for these settings. In particular, an account could be switched between the new and legacy backup systems, which should only be permissible by the root user. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 87205 Summary Open redirect vulnerability in FormMail-clone. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description cPanel & WHM servers include a clone of the classic FormMail.pl script. This clone includes the ability to redirect the browser after successful form submission to a URL included in the browser supplied parameters. These redirects are now restricted to HTTP and HTTPS locations that are on the server. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 87873 Summary Multiple format string vulnerabilities in Cpanel::API::Fileman. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description Error messages in Cpanel::API::Fileman were being generated using Locale::Maketext::maketext(). These errors were then added to a Cpanel::Result object using the error() method, which also performs maketext() interpolation on its inputs. With carefully crafted inputs, an authenticated attacker could utilize these format string flaws to execute arbitrary code using maketext() bracket notation. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.13 Case 88577 Summary Arbitrary file overwrite via trackupload parameter. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The trackupload functionality in cPanel & WHM’s default POST parameter and QUERY_STRING processor module allows a log file to be written and queried while a file upload is occurring. In some contexts, an authenticated attacker could make cpsrvd create the trackupload log file inside the user’s home directory while running with the effective UID of root. By combining this with a symlinked trackupload log file target, any file on the system could be overwritten. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 88793 Summary External XML entity injection in WHM locale upload interface. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The XML parser used by WHM for XLIFF and dumper-format XML locale file uploads allowed the processing of external XML entities. This would permit resellers with the ‘locale-edit’ ACL to reference arbitrary files on the system as external entities in an XLIFF translation upload and retrieve the target file by downloading the translation. All external XML entity processing in the translation system handling of XML files, is now disabled. Credits This issue was discovered by Prajith from NdimensionZ Solutions Pvt Ltd Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 88961 Summary Arbitrary code execution for ACL limited resellers via WHM Activate Remote Nameservers interface. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description Resellers with the ‘clustering’ ACL could send crafted parameters with newlines to the WHM /cgi/activate_remote_nameservers.cgi script and inject unsanitized values in the DNS clustering credential storage system. These unsanitized parameters could include code injections that would run with root’s effective UID or parameters intended to disclose root’s accesshash credentials to systems under the reseller’s control. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 89377 Summary Arbitrary code execution for ACL limited resellers via WHM objcache. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description A flaw in the hostname input sanitization of WHM’s objcache functionality could be used by malicious resellers with limited ACLs to download Template Toolkit code of their choosing into the WHM objcache storage system. The malicious Template Toolkit code would subsequently execute with EUID 0 during the processing of WHM News. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 89733 Summary Injection of arbitrary data into cpuser configuration files via wwwacct. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM /scripts5/wwwacct interface allowed arbitrary values to be set for the ‘owner’ parameter during new account creation by resellers with the ‘create-acct’ ACL. By supplying values with newlines, resellers could control all fields in the newly created account’s cpuser configuration file. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 89789 Summary Arbitrary code execution for ACL limited resellers via batch API. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The WHM XML-API allows for multiple commands to be combined into one call via the ‘batch’ command. Some aspects of the execution environment for one command in a batch persisted in the execution of subsequent commands. By leveraging failures of a proceeding command, a malicious authenticated reseller could execute arbitrary code as the root user in subsequent commands in the batch. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 90001 Summary Sensitive information disclosed via update-analysis tarballs. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The cPanel & WHM update-analysis system aggregates log files and system settings into a tarball that is sent to cPanel’s log processing servers. This opt-in service allows cPanel to detect trends in the errors that cPanel & WHM systems encounter. The tarballs generated by the update-analysis system are retained on the local file system, with 0644 permissions, inside a world-accessible directory and include copies of several sensitive log files. This allowed local users to view the sensitive data contained inside. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 90265 Summary Open mail relay via injection of FormMail-clone parameters. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description cPanel & WHM servers include a clone of the classic FormMail.pl script. Incorrect filtering of the ‘subject’ parameter supplied to this script allowed arbitrary mail headers to be injected into the email message. This flaw bypassed any recipient restrictions and allowed FormMail-clone to be used as an open mail relay. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 91741 Summary Arbitrary code execution via backup excludes. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description Entries in a user’s cpbackup-exclude.conf file are evaluated in an unsafe manner during the nightly account backup process. By carefully crafting these entries, a malicious local account could execute arbitrary code as the root user during nightly backups under some circumstances. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 92449 Summary User .my.cnf files set to world readable during upcp. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The script ‘/scripts/fixmysqlpasswordopt’ is run one time by upcp during an upgrade from cPanel & WHM version 11.38 to version 11.40. This script was intended to convert user’s .my.cnf files to use formatting required with MySQL5.5. During the conversion, the permissions on some user’s .my.cnf files could be changed to world-readable. In combination with other common attacks, this could disclose the user’s MySQL password to other accounts on the system. Credits This issue was discovered by Curtis Wood. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.13 Case 92489 Summary SSH private key disclosure during key import process. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description When the ‘extract_public’ option is specified to the ‘importsshkey’ WHM XML-API call, the provided private key was written to a world-readable temporary file. This allowed any user on the system to read the uploaded key. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Case 94201 Summary Insufficient validation allows password reset of arbitrary users. Security Rating cPanel has assigned a Security Level of Critical to this vulnerability. Description cPanel & WHM systems contain optional functionality that allows cPanel accounts to reset their passwords from the cPanel login screen. When a user requests a password reset in this fashion, an email is sent to the user’s configured email address. The user must then navigate to a URL provided in the email to perform the password reset. A flaw in the validation of the ‘user’ parameter to the password reset interface allowed unauthenticated remote attackers to reset an account’s password and cause the reset email to be delivered to an email address of the attacker’s choosing. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds:11.42.0.2311.40.1.1311.38.2.23 Multiple Cases (30) Summary Multiple XSS vulnerabilities in various interfaces. Description Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below. Case: 88465Security Rating: MinorXSS Type: SelfInterface: WHMURLs: /scripts9/upload_localeAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Ernesto Martin Case: 88469Security Rating: MinorXSS Type: Self-storedInterface: WHMURLs: /scripts/backupconfigAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Ernesto Martin Case: 88473Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /fetchsystembranding, /fetchglobalbranding, /fetchyoursbrandingAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Ernesto Martin Case: 90213Security Rating: MinorXSS Type: SelfInterface: WHMURLs: /scripts/passwdmysqlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 90225Security Rating: MinorXSS Type: SelfInterface: WHMURLs: /cgi/CloudLinux.cgiAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 90249Security Rating: MinorXSS Type: SelfInterface: WHMURLs: /cgi/live_restart_xferlog_tail.cgiAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 90257Security Rating: MinorXSS Type: SelfInterface: WHMURLs: /scripts/dorootmailAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 90261Security Rating: ImportantXSS Type: StoredInterface: WHMURLs: /cgi/sshcheck.cgiAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 90289Security Rating: MinorXSS Type: SelfInterface: WHMURLs: /cgi/zoneeditor.cgiAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 90753Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/mail/delegatelist.html, /frontend/paper_lantern/mail/delegatelist.htmlAffected Releases: 11.42.0, 11.40.1Reporter: Mateusz Goik Case: 90765Security Rating: MinorXSS Type: Self-storedInterface: cPanelURLs: /frontend/x3/mime/hotlink.html, /frontend/paper_lantern/mime/hotlink.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Mateusz Goik Case: 90769Security Rating: MinorXSS Type: Self-storedInterface: cPanelURLs: /frontend/x3/webdav/accounts_webdav.html, /frontend/paper_lantern/webdav/accounts_webdav.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Mateusz Goik Case: 90781Security Rating: MinorXSS Type: Self-storedInterface: cPanelURLs: /frontend/x3/mime/redirect.html, /frontend/paper_lantern/mime/redirect.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Mateusz Goik Case: 90817Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/filemanager/listfmfiles.json, /frontend/paper_lantern/filemanager/listfmfiles.jsonAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Mateusz Goik Case: 90969Security Rating: ImportantXSS Type: StoredInterface: WHMURLs: /cgi/cpaddons_report.plAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Rack911 Case: 91457Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/test.php, /frontend/paper_lantern/test.phpAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 91461Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/cgi/doupload.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 91633Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /fetchemailarchiveAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 91677Security Rating: MinorXSS Type: Self-storedInterface: cPanelURLs: /frontend/x3/cpanelpro/filelist-scale.html, /frontend/paper_lantern/cpanelpro/filelist-scale.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 91681Security Rating: MinorXSS Type: Self-storedInterface: cPanelURLs: /frontend/x3/cpanelpro/filelist-thumbs.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 91717Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/paper_lantern/cpanelpro/changestatus.html, /frontend/paper_lantern/cpanelpro/editmsgs.html, /frontend/paper_lantern/cpanelpro/msgaction.html, /frontend/paper_lantern/cpanelpro/saveconf.html, /frontend/paper_lantern/mail/changestatus.html, /frontend/paper_lantern/mail/conf.html, /frontend/paper_lantern/mail/editlists.html, /frontend/paper_lantern/mail/editmsg.html, /frontend/paper_lantern/mail/manage.html, /frontend/paper_lantern/mail/queuesearch.htm, /frontend/paper_lantern/mail/resetmsg.html(acount), /frontend/paper_lantern/mail/saveconf.html, /frontend/paper_lantern/mail/showlog.html, /frontend/paper_lantern/mail/showmsg.htm, /frontend/paper_lantern/mail/showq.html, /frontend/x3/cpanelpro/changestatus.html, /frontend/x3/cpanelpro/editlists.html, /frontend/x3/cpanelpro/editmsgs.html, /frontend/x3/cpanelpro/msgaction.html, /frontend/x3/cpanelpro/saveconf.html, /frontend/x3/mail/changestatus.html, /frontend/x3/mail/conf.html, /frontend/x3/mail/editlists.html, /frontend/x3/mail/editmsg.html, /frontend/x3/mail/manage.html, /frontend/x3/mail/queuesearch.html, /frontend/x3/mail/resetmsg.html, /frontend/x3/mail/saveconf.html, /frontend/x3/mail/showlog.html, /frontend/x3/mail/showmsg.html, /frontend/x3/mail/showq.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 91973Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/cpanelpro/doscale.html, /frontend/paper_lantern/cpanelpro/doscale.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 91977Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/cpanelpro/doconvert.html, /frontend/paper_lantern/cpanelpro/doconvert.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 91981Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/cpanelpro/dothumbdir.html, /frontend/paper_lantern/cpanelpro/dothumbdir.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 92133Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/telnet/keys/dodelpkey.html, /frontend/paper_lantern/telnet/keys/dodelpkey.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 92157Security Rating: ImportantXSS Type: StoredInterface: WHMURLs: /scripts/installfp, /scripts/uninstallfpAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 92421Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/mail/ajax_mail_settings.html, /frontend/paper_lantern/mail/ajax_mail_settings.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 92593Security Rating: ModerateXSS Type: ReflectedInterface: cPanelURLs: /cgi-sys/entropysearch.cgiAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team Case: 92829Security Rating: MinorXSS Type: SelfInterface: WHMURLs: /cgi-sys/defaultwebpage.cgiAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: Shahee Mirza Case: 93089Security Rating: MinorXSS Type: SelfInterface: cPanelURLs: /frontend/x3/mime/delredirectconfirm.htmlAffected Releases: 11.42.0, 11.40.1, 11.38.2Reporter: cPanel Security Team cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload. Credits These issues were discovered by the respective reporters listed above. Solution These issues are resolved in the following builds: 11.42.0.2311.40.1.1311.38.2.23 For the PGP signed message, please go to: http://cpanel.net/wp-content/uploads/2014/03/TSR-2014-0003-Full-Disclosure1.txt View the full article Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now