Situation
When using File Manager while logged in as a cPanel user, you find that you are able to view Symlinks to files that would not be viewable normally via SSH based access. When attempting to view these same Symlinks via SSH it is unsuccessful.
We have opened an internal case with our developers with case ID CPANEL-47220 to review this behavior further.
Note: This has been resolved with the following patched versions in the table below. Please see the latest changelogs for version information of each cPanel branch:
https://docs.cpanel.net/changelogs/
Affected Product Versions
| Product | Affected Versions | Patched Versions |
|---|---|---|
| cPanel/WHM | 110, 126, 134, 136 | v11.110.0.134 and greater v11.126.0.77 and greater v11.134.0.44 and greater v11.136.0.28 and greater |
Impact
This could allow users to follow symlinks and access information that they would not normally have access to. Including access to other user's home directories depending on file permissions.
Call to Action
- Update to the latest versions for your server; this can be achieved using the update script.
# /scripts/upcp --security
2. Once completed, verify the cPanel version with the following to ensure the update was successful.
# /usr/local/cpanel/cpanel -V
Mitigation
If you are unable to update, the following steps need to be taken to mitigate the behavior:
Disabling File Manager access for cPanel users would be required to prevent this behavior.
To disable this feature from within WHM,
- Navigate to Packages > Feature Manager > Feature Lists.
- In the dropdown for "Manage Feature list" find "disabled" and select "edit"
- Select "File Manager" in the provided interface.
- Save the list in the bottom of the page by selecting the blue Save button.
To disable this from command line, run the utility below:
# whmapi1 update_featurelist featurelist=disabled filemanager=0
Comments
0 comments
Article is closed for comments.