A HTTP response splitting vulnerability was discovered in versions of cPanel prior to 11.25.0 Build 42174. This vulnerability has been addressed and corrected. An open redirection vulnerability was also discovered in 11.25.0 builds prior to 43786 which is also corrected.
This update has been rated as having a moderate security impact by the cPanel Security team.
The HTTP response splitting vulnerability was discovered in the use of the ‘failurl’ parameter of the cPanel login page. No validation was performed on the contents of this parameter. This could allow a malicious user to control the HTTP response header and subsequently perform an attack involving HTTP header injection, such as manipulation of cookies or XSS.
Further no control was given to system administrators over the content of the ‘failurl’ parameter allowing user to use a vulnerable cPanel server as an Open Redirection server.
The HTTP Response Splitting vulnerabilities were addressed in versions 11.25.0 builds 42174 and above and the Open Redirection vulnerability was addressed in versions 11.25.0 builds 43786 and above.
The ‘failurl’ parameter is not used in the default cPanel UI. Custom login pages and forms used by third parties do make use of this parameter. Beginning in cPanel 11.25.0 Build 43786 only ‘failurl’ values whitelisted by the system administrator will be processed by cPanel.
Originally reported by Moshe Ben Abu (Trancer) of Recognize-Security.