TSR 2014-0001 Full Disclosure

The following disclosures covers the Targeted Security Release 2014-0001. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.4 11.40.1.10 11.38.2.16 _______________________________ Case: 87437 Summary ACL limited resellers allowed to disable digest authentication for arbitrary accounts. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description Due to a lack of ACL enforcement, an ACL limited reseller could disable digest authentication for any account on the system using WHM's XML-API. The ACL protections for this functionality have been updated to require that ACL limited resellers own any accounts they modify in this fashion. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.4 11.40.1.10 11.38.2.16 _______________________________ Case: 87625 Summary ACL limited resellers allowed to restore backups for the accounts they control. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description The WHM XML-API allowed all resellers to restore backups for any accounts they own. The equivalent functionality in WHM's HTML interfaces restricted the ability to restore accounts from backups to resellers with the "all" ACL. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.4 11.40.1.10 11.38.2.16 _______________________________ Case: 88061 Summary Mis-assignment of IP addresses for ACL limited resellers via createacct. Security Rating cPanel has assigned a Security Level of Moderate to this vulnerability. Description With certain combinations of IP delegations and free IP address space, reseller accounts with the 'add-pkg-ip' ACL could install new accounts onto IP addresses delegated to another reseller. This might allow a malicious reseller account to capture web traffic intended for other accounts on the system. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.4 11.40.1.10 11.38.2.16 _______________________________ Case: 88341 Summary Arbitrary code execution for ACL limited resellers during account creation. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description A flaw in the new account creation process resulted in the Ruby 'gem' command running with the effective UID of the newly created user and the real UID of root. A malicious reseller account could leverage this flaw to execute arbitrary Ruby code with root's UID during the account creation process. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.42.0.4 11.40.1.10 11.38.2.16 _______________________________ Multiple Cases (55) Summary Multiple XSS vulnerabilities in various interfaces. Description Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below. Case: 84633 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/htaccess/deluser.html, /frontend/x3/indexmanager/changepro.html, /frontend/x3/indexmanager/dohtaccess.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 84877 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts3/initial_setup_wizard4 Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Christy Philip Mathew Case: 84881 Security Rating: Moderate XSS Type: Stored Interface: cPanel URLs: /frontend/x3/mail/def.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Christy Philip Mathew Case: 84885 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /x3/mail/filters/editfilter.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Christy Philip Matthew Case: 84893 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/conf.html, /frontend/x3/mail/saveconf.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Christy Philip Mathew Case: 84897 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/stats/detailsubbw.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Christy Philip Mathew Case: 84901 Security Rating: Moderate XSS Type: Stored Interface: cPanel URLs: /frontend/x3/cpanelpro/filelist-thumbs.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Christy Philip Mathew Case: 85029 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/csvimport.html, /frontend/x3/mail/csvimport-step2.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Shubham Mittal Case: 85133 Security Rating: Moderate XSS Type: Stored Interface: cPanel URLs: /frontend/x3/filemanager/editit.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Shubham Mittal Case: 85177 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/cgi/Clock/docode.html, /frontend/x3/cgi/Countdown/docode.htm, /frontend/x3/cgi/Counter/docode.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Pawe? Ha?drzy?ski Case: 85229 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/psql/deldb.html, /frontend/x3/psql/deldb.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 85249 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/psql/addusertodb.html, /frontend/x3/psql/addusertodb.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 85273 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mime/addhotlink.html Affected Releases: 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 85457 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/editmsgs.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Ankit Mittal Case: 85461 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mail/showq.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Ankit Mittal Case: 85589 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts2/dotweaksettings Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Ernesto Martin Case: 85977 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts/addpkg2 Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Olivier Beg Case: 85985 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /scripts2/edit_sourceipcheck, /x3/security/security-questions.html, /paper_lantern/security/security-questions.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: Olivier Beg Case: 86329 Security Rating: Important XSS Type: Stored Interface: WHM URLs: /scripts/doeditmx Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 87081 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/mime/add_redirect.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: SimranJeet Singh Case: 87417 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/err/erredit.html, /frontend/x3/filemanager/editit.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: SimranJeet Singh Case: 87457 Security Rating: Minor XSS Type: Self Interface: WHM URLs: /cgi/cpaddons_feature.pl Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88093 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/backup/fullbackup.html, /frontend/x3/backup/wizard-fullbackup.html, /frontend/paper_lantern/backup/fullbackup.html, /frontend/paper_lantern/backup/wizard-fullbackup.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88097 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/backup/doupload.html, /frontend/paper_lantern/backup/doupload.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88129 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/backup/dosqlupload.html, /frontend/paper_lantern/backup/dosqlupload.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88133 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/backup/doafupload.html, /frontend/paper_lantern/backup/doafupload.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88137 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/backup/wizard-dofullbackup.html, /frontend/x3/backup/dofullbackup.html, /frontend/paper_lantern/backup/wizard-dofullbackup.html, /frontend/paper_lantern/backup/dofullbackup.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88141 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/denyip/add.html, /frontend/x3/denyip/add.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88145 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/denyip/del.html, /frontend/x3/denyip/del.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88149 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/denyip/index.html, /frontend/x3/denyip/index.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88153 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/cpanelpro/filelist-convert.html, /frontend/paper_lantern/cpanelpro/filelist-scale.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html, /frontend/x3/cpanelpro/filelist-convert.html, /frontend/x3/cpanelpro/filelist-scale.html, /frontend/x3/cpanelpro/filelist-thumbs.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88157 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/files/savefile.html, /frontend/paper_lantern/files/savefile.html, /frontend/x3/files/savefile.html, /frontend/x3/files/savefile.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88165 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/x3/files/extractfile.html, /frontend/paper_lantern/files/extractfile.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88173 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/files/showfile.html, /frontend/x3/files/showfile.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88181 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/fp/addfp.html, /frontend/paper_lantern/fp/delfp.html, /frontend/x3/fp/addfp.html, /frontend/x3/fp/delfp.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88209 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/htaccess/leechprotect/dohtaccess.html, /frontend/paper_lantern/htaccess/leechprotect/doleech.html, /frontend/x3/htaccess/leechprotect/dohtaccess.html, /frontend/x3/htaccess/leechprotect/doleech.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88213 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/net/dnslook.html, /frontend/x3/net/dnslook.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88229 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/park/dodelparked.html, /frontend/x3/park/dodelparked.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88253 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/psql/deluserfromdb.html, /frontend/x3/psql/deluserfromdb.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88257 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/stats/analog.html, /frontend/x3/stats/analog.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88261 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/addon/saveredirect.html, /frontend/x3/addon/saveredirect.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88265 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/subdomain/doadddomain.html, /frontend/x3/subdomain/doadddomain.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88269 Security Rating: Moderate XSS Type: Stored Interface: cPanel URLs: /frontend/x3/addoncgi/cpaddons.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88277 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/sql/PhpMyAdmin.html, /frontend/paper_lantern/backup/index.html, /frontend/x3/sql/PhpMyAdmin.html, /frontend/x3/backup/index.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88281 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mail/queuesearch.html, /frontend/x3/mail/queuesearch.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88285 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/cpanelpro/changestatus.html, /frontend/x3/cpanelpro/changestatus.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88289 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mail/editmsg.html, /frontend/x3/mail/editmsg.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88293 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/cpanelpro/editmsgs.html, /frontend/x3/cpanelpro/editmsgs.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88297 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/cpanelpro/msgaction.html, /frontend/x3/cpanelpro/msgaction.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88301 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mail/resetmsg.html, /frontend/x3/mail/resetmsg.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88305 Security Rating: Moderate XSS Type: Stored Interface: cPanel URLs: /frontend/paper_lantern/mail/conf.html, /frontend/x3/mail/conf.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88309 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mail/showlog.html, /frontend/x3/mail/showlog.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88313 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mail/showmsg.html, /frontend/x3/mail/showmsg.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88321 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/cpanelpro/editlists.html, /frontend/x3/cpanelpro/editlists.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team Case: 88325 Security Rating: Minor XSS Type: Self Interface: cPanel URLs: /frontend/paper_lantern/mail/conf.html, /frontend/x3/mail/conf.html Affected Releases: 11.42.0, 11.40.1, 11.38.2 Reporter: cPanel Security Team cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload. Credits These issues were discovered by the respective reporters listed above. Solution These issues are resolved in the following builds: 11.42.0.4 11.40.1.10 11.38.2.16 Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at Submit a request here.