cPanel TSR-2017-0001 Full Disclosure
cPanel TSR-2017-0001 Full Disclosure
SEC-196
Summary
Fixed password used for Munin MySQL test account.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.0 [plain](AV:N/AC:L/Au:S/C:P/I:N/A:N)[/plain]
Description
The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel's current configuration of Munin, this MySQL user is no longer required and has been removed.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-197
Summary
Self-XSS in paper_lantern password change screen.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 [plain](AV:N/AC:H/Au:S/C:N/I:P/A:N)[/plain]
Description
Certain form variables on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-198
Summary
Reflected XSS in reset password interfaces.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.3 [plain](AV:N/AC:M/Au:N/C:N/I:P/A:N)[/plain]
Description
The user form variable on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
SEC-199
Summary
Self-XSS in webmail Password and Security page.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 [plain](AV:N/AC:H/Au:S/C:N/I:P/A:N)[/plain]
Description
Certain form variables on the webmail password and security page could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-201
Summary
Arbitrary file read via Exim valiases.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.8 [plain](AV:N/AC:L/Au:S/C:C/I:N/A:N)[/plain]
Description
When processing the valiases for a user, Exim was running as the root user. By creating a valias that included other files, an attacker was able to read arbitrary files as the root user.
Credits
This issue was discovered by RACK911Labs.com.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
SEC-204
Summary
Exim piped filters ran as wrong user when delivering to a system user.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.5 [plain](AV:N/AC:L/Au:S/C:P/I:P/A:P)[/plain]
Description
Piped commands executed by the central_user_filter were run as the nobody user. Now the filters are run as the system user's UID.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-205
Summary
Leech Protect did not protect certain directories.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.3 [plain](AV:N/AC:M/Au:N/C:P/I:N/A:N)[/plain]
Description
The Leech Protect system allows admins to detect unusual amounts of activity on password protected directories. This system was not functioning on directories with a two character name.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-206
Summary
Exim transports could be run as the nobody user.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.0 [plain](AV:N/AC:L/Au:S/C:P/I:N/A:N)[/plain]
Description
It was possible to run exim transports as the nobody user if the receiving email domain was removed during delivery. Transports will now run as the proper user even if the domain no longer exists.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-207
Summary
Improper ACL checks in xml-api for Rearrange Account.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 [plain](AV:N/AC:H/Au:S/C:P/I:N/A:N)[/plain]
Description
Using the 'fetch_transfer_session_log' API, it was possible to fetch transfer information created by other resellers. This could reveal potentially sensitive information to an attacker.
Credits
This issue was discovered by RACK911Labs.com.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-209
Summary
SSL certificate generation in WHM used an unreserved email address.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 [plain](AV:N/AC:H/Au:S/C:P/I:N/A:N)[/plain]
Description
In WHM, if you generate a certificate using the "Generate an SSL Certificate and Signing Request" interface and select "When complete, email me the certificate, key, and CSR", it used "admin@" as the from address. The account name "admin" is not reserved in cPanel & WHM, so if this account was created, it would intercept any replies or bounces.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-210
Summary
Account ownership not enforced by has_mycnf_for_cpuser WHM API call.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 [plain](AV:N/AC:H/Au:S/C:P/I:N/A:N)[/plain]
Description
The has_mycnf_for_cpuser WHM API call did not verify the caller's ownership of the specified account. This could allow for a limited amount of information about the user's MySQL configuration to be leaked.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-211
Summary
Stored XSS Vulnerability in WHM Account Suspension List interface.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 [plain](AV:N/AC:M/Au:S/C:N/I:P/A:N)[/plain]
Description
When viewing the WHM Account Suspension List with the 'nohtml' flag enabled, the response to the browser was sent with the 'Content-type' header set to 'test/html'. This caused text to be misinterpreted as html markup.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
SEC-212
Summary
Format string injection vulnerability in cgiemail.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 6.8 [plain](AV:N/AC:M/Au:N/C:P/I:P/A:P)[/plain]
Description
The ability to supply arbitrary format strings to cgiemail and cgiecho allowed code execution whenever a user was able to provide a cgiemail template file. Format strings in cgiemail templates are now restricted to simple %s, %U and %H sequences.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36
SEC-213
Summary
WHM 'enqueue_transfer_item' API allowed resellers to queue non rearrange modules.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 [plain](AV:N/AC:H/Au:S/C:N/I:N/A:P)[/plain]
Description
The 'enqueue_transfer_item' API allowed resellers with the 'rearrange-accts' ACL to add items from arbitrary Whostmgr::Transfers::Session modules. This could have potentially allowed for a reseller with the 'rearrange-accts' ACL to initiate a remote transfer or perform other restricted operations.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
SEC-214
Summary
Open redirect vulnerability in cgiemail.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 5.8 [plain](AV:N/AC:M/Au:N/C:P/I:P/A:N)[/plain]
Description
The cgiemail and cgiecho binaries served as an open redirect due to their handling of the "success" and "failure" parameters. These redirects are now limited to the domain that handled the request.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36
SEC-215
Summary
HTTP header injection vulnerability in cgiemail.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.3 [plain](AV:N/AC:M/Au:N/C:N/I:P/A:N)[/plain]
Description
Case SEC-215: The handling of redirects in cgiemail and cgiecho did not protect against the injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36
SEC-216
Summary
Reflected XSS vulnerability in cgiemail addendum handling.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.3 [plain](AV:N/AC:M/Au:N/C:N/I:P/A:N)[/plain]
Description
The "addendum" parameter was reflected without any escaping in success and error messages produced by cgiemail and cgiecho. This output is now html escaped.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36
For the PGP-Signed version of this announcement please see:
Please sign in to leave a comment.
Comments
0 comments