cPanel Security Bounty Program

Official cPanel Security Bounty Program

In order to show its appreciation for security researchers who follow responsible disclosure principles, cPanel, Inc. is offering a monetary reward program for researchers who provide assistance with identifying and correcting certain Qualifying Vulnerabilities within the scope of this program.

Continue reading

Posted in News, Security | Tagged: , ,

11.40 Now in STABLE Tier

12/3/2013
Houston, TX -

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.40, which is now available in the STABLE tier.

cPanel & WHM version 11.40 offers support for IPv6 and 1:1 NAT, an API Shell, and more.

IPv6 Support
cPanel & WHM is now IPv6-enabled with dual-stack support, allowing customers to add IPv6 or IPv4 to any account. This feature prepares our customers for future demand.

1:1 NAT Support
cPanel & WHM version 11.40 provides 1:1 NAT, giving customers the ability to support a broader range of hosting environments.

API Shell
In 11.40, cPanel & WHM includes an API Shell, enabling customers to run and troubleshoot API calls interactively through the cPanel & WHM user interfaces. This feature helps our customers better understand API calls.

Detailed information on all cPanel & WHM version 11.40 features can be found at http://docs.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists.

Posted in News, Press Releases, Release Announcements | Tagged: , , ,

GoDaddy Offers cPanel & CloudLinux In Web Hosting Overhaul

SCOTTSDALE, Ariz. (Nov. 20, 2013) – GoDaddy, the world’s largest Web hosting provider, has revamped its Linux Web hosting lineup, with the addition of cPanel & WHM, the popular Web hosting management software. In addition, customers are also benefitting from a new Web hosting architecture that provides a fast and reliable experience and new Web hosting plans, which enable customers to find a solution that meets their specific needs.

“After studying the market and our customer needs, we went to work with cPanel and CloudLinux to create an optimized solution that provides a market-leading customer experience,” said GoDaddy Product Manager Web Hosting Ben Gabler. “GoDaddy is focused on bringing the best and most reliable services to our customers around the world.”

cPanel enables users to quickly and easily manage a number of potentially-complicated items on a Web hosting account, including managing MySQL databases, adding domain names, installing applications, tracking stats and setting up Cron jobs. For example, using automated installs powered by Installatron, customers can have a full-blown WordPress website in a matter of minutes, without coding or walking through a potentially complicated install process.

“When GoDaddy talked to us about adding cPanel to their main Linux Web hosting line, we admired their passion for helping customers and couldn’t wait to get started,” said cPanel Vice President of Operations Aaron Phillips. “The new team at GoDaddy is hyper focused on figuring out how to create the best possible customer experience, whether it’s for a Web pro or a small business owner. GoDaddy is willing to do whatever it takes to get this right, and we share their excitement to help grow the small business market.”

GoDaddy Linux Web hosting runs on CloudLinux and offers the flexibility and ease-of-use customers expect. Additionally, the Web hosting architecture has increased the usage of CPU and RAM in a low densification environment – giving users additional resources that cause pages to load faster and more consistently.

“GoDaddy’s scale for Linux Web hosting is unmatched in the industry and they have innovated based on customer needs to increase their speed and reliability,” said CloudLinux CEO Igor Seletskiy.

“GoDaddy is going global, in the coming months, we are providing hosting across 60 countries in 30 different languages,” said GoDaddy Senior Vice President and General Manager Hosting Jeff King. “cPanel is helping provide a universal experience while CloudLinux is providing a solid foundation. This isn’t the finish line … we’re just getting started.”

GoDaddy now serves more than 12 million paying customers worldwide and is the largest Web hosting and domain name registrar on the planet. GoDaddy leverages its award-winning talent and personalized approach to help small business owners create their digital identity, build websites and grow online.

To learn more about GoDaddy Web hosting with Linux visit, http://www.GoDaddy.com/Hosting.

To find out how GoDaddy can help grow your small business online, visit: www.GoDaddy.com.

Connect with GoDaddy on Facebook & Twitter.

Read why our customers recommend GoDaddy.

Contact
Nick Fuller, PR Director
480.505.8800 x4435
PR@GoDaddy.com or Google+

Posted in News, Press Releases | Tagged: ,

11.36 EOL, 3 Month Notice

cPanel & WHM software version 11.36 will reach End of Life in January 2014.

In accordance with our EOL policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport], 11.36 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.36 once it reaches its EOL date.

We recommend that all customers start planning to migrate any existing installations of cPanel & WHM version 11.36 to a newer version (either 11.38 or 11.40).

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see 11.36 90 day-signed.

Posted in News, Release Announcements | Tagged: , ,

11.40 Now in RELEASE Tier

11/5/2013
Houston, TX -

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.40, which is now available in the RELEASE tier.

cPanel & WHM version 11.40 offers support for IPv6 and 1:1 NAT, an API Shell, and more.

IPv6 Support
cPanel & WHM is now IPv6-enabled with dual-stack support, allowing customers to add IPv6 or IPv4 to any account. This feature prepares our customers for future demand.

1:1 NAT Support
cPanel & WHM version 11.40 provides 1:1 NAT, giving customers the ability to support a broader range of hosting environments.

API Shell
In 11.40, cPanel & WHM includes an API Shell, enabling customers to run and troubleshoot API calls interactively through the cPanel & WHM user interfaces. This feature helps our customers better understand API calls.

Detailed information on all cPanel & WHM version 11.40 features can be found at http://docs.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists.

Posted in News, Press Releases, Release Announcements | Tagged: , ,

11.34 EOL Notice

This notification announces the End of Life for cPanel & WHM version 11.34.

The 12-month lifetime of cPanel & WHM version 11.34 ends now. The last release of cPanel & WHM 11.34, being 11.34.2.8, will remain on our mirrors indefinitely. You may continue using this last release, but we will not release any further updates for version 11.34 going forward. Older releases of cPanel & WHM 11.34 will be removed from our mirrors.

cPanel strongly recommends that you migrate any existing installations of cPanel & WHM version 11.34 to a newer version (either 11.38 or 11.40).

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgable support team can provide recommendations, migration assistance, and more.

For detailed information regarding Long Term Support, visit: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see 2013-11.34-EOL-Final-signed.

Posted in News, Release Announcements | Tagged: , ,

TSR 2013-0010 Full Disclosure

Case 69513

Summary

World writable Logaholic directories allowed arbitrary code execution in varied contexts.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Multiple directories within /usr/local/cpanel/base/3rdparty/Logaholic were set world writable by default with permissions of 777. These directories contained, among other items, the global configuration files for the Logaholic log processing system. A local attacker could overwrite the global config file to bypass account restrictions, such as jailshell, or conduct privilege escalation attacks.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 74889

Summary

Security tokens were disclosed via links in WHM’s Manage SSL Hosts interface.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

cPanel & WHM includes cross-site request forgery tokens in all authenticated URLs. cPanel recommends that all users connect only through https to prevent the tokens from leaking to external sites via the browser’s referrer headers. It was discovered that some external links in the “Manage SSL Hosts” leaked the security token even when connected via https. This problem has been addressed by bouncing the browser through a URL with no token to cleanse the referrer.

Credits

This issue was discovered by the Total Server Solutions Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 75373

Summary

Reseller Jailshell breakout via custom contact program.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Reseller accounts that were restricted to Jailshell access, and unable to create other accounts without this restriction, could bypass this restriction by creating a custom contact program in WHM’s “Configure Customer Contact” interface. When an account owned by the reseller submitted a contact request, the custom contact program would run without the restrictions of Jailshell.

Credits

This issue was discovered by Rack911.com.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 76085

Summary

The translation system ACL was not being enforced properly.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The ability to modify translations in cPanel & WHM is restricted to reseller accounts with the “locale-edit” ACL. This ACL requirement was improperly enforced granting the virtual email accounts, owned by a reseller with this ACL, the same access as the reseller. A malicious virtual email account could misuse this vulnerability to conduct stored cross-site scripting attacks against other cPanel & WHM users by updating translations to contain malicious javascript.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 76541

Summary

An arbitrary file unlink vulnerability in cPanel and Webmail.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The logic in cPanel to remove unused file uploads after processing a request incorrectly, attempted to unlink both the temporary file and the supplied file name. This allowed Webmail virtual accounts and demo cPanel accounts to unlink arbitrary files belonging to the cPanel account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 76549

Summary

An arbitrary file read and unlink vulnerability in cPanel, WHM, and Webmail.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

When logged into the cPanel, WHM, or Webmail interfaces an attacker could supply crafted multipart post data that appeared to be file uploads with unusual paths. In some subsystems, these invalid file upload parameters allowed viewing or deleting the file at the target path.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 76789

Summary

Sensitive information was disclosed via transfer logs.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The cPanel & WHM account transfer system stores logs in the /var/cpanel/logs directory. These logs contain the details of the account transfer process including, under some error conditions, the password used to connect to the remote server. The log files created by account transfers were created with 0644 permissions, allowing local users to view any sensitive data stored there.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 76869

Summary

CVE-2013-6171 – Dovecot’s checkpassword authentication implementation vulnerable to response spoofing.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

cPanel & WHM provides the Dovecot mail server by default for support of the POP3 and IMAP protocols. cPanel’s integration of Dovecot relies on the checkpassword authentication protocol to make Dovecot aware of virtual email accounts on the system. Dovecot’s implementation of this protocol uses a sensitive file descriptor passed across the executables that make up the checkpassword protocol. This allows the checkpassword-reply binary to communicate back to the dovecot-auth server if authentication is successful. A local attacker could attach to a running instance of the checkpassword-reply binary before the account information was written back to the dovecot-auth server and supply fraudulent account information. This allowed the attacker to view email and other files belonging to to the victim account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 76941

Summary

Insufficient session expiration of Cpanel::LogMeIn sessions.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The Cpanel::LogMeIn module is used to implement custom login screens for cPanel & WHM systems. It creates a single use session file on the cPanel system, suitable for redirecting a browser from another website. It was found that previous changes to cPanel & WHM’s session storage format for TSR 2013-0009 resulted in Cpanel::LogMeIn sessions not expiring after a single use. These sessions were instead expired according to normal session timeouts.

Credits

This issue was discovered by Vodien Internet Solutions.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 77837

Summary

Logaholic local file inclusion vulnerability.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The Logaholic log processing software included with cPanel & WHM was vulnerable to a local file inclusion vulnerability through the logaholic_lang cookie. This allowed a local attacker to execute arbitrary code as the cpanel-logaholic user, potentially compromising other accounts on the system through Logaholic’s shared database.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 78177

Summary

There could be a local arbitrary code execution via mailman pickle files.

Security Rating

cPanel has assigned a Security Level Important of to this vulnerability.

Description

cPanel & WHM uses a single, central installation of GNU Mailman to provide mailing list functionality to all cPanel accounts. Mailman’s cgi-bin scripts are configured to be set to the GID mailman so that they can write into the Mailman list and archive directories. This resulted in the Mailman Python pickle files to have the UID ownership changed dependent on where the files were executed. A local attacker could utilize this fact to overwrite one of Mailman’s pickle files, and execute arbitrary code when the pickle file was deserialized (BugTrack ID 5257). Under some circumstances, this would allow a local attacker to execute arbitrary code as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 78253

Summary

Local arbitrary code could be executed as other accounts with mod_ruid2 enabled.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

On systems with mod_ruid2 enabled, making any changes using the WHM “Apache mod_userdir Tweak” interface resulted in a corrupted Apache configuration. A local user could manipulate the permissions on directories and files under their control, and enable Apache to run arbitrary code with the UID and GID of a victim account via userdir URLs. Access to the “Apache mod_userdir Tweak” interface is only permitted to the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 79133

Summary

The improper sanitization of SSL certificates could allow a local DoS of the web server.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

cPanel user accounts with the “sslinstall” feature are allowed to install SSL certificates for the domains they control. The logic that sanitized these certificates did not account for whitespace variations in SSL certificates that Apache cannot parse. This vulnerability could be used by a malicious local attacker to make it impossible to restart the Apache web server.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

For the PGP signed message, go here.

Posted in News, Release Announcements, Security | Tagged:

TSR-2013-0010 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Important.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:
* 11.40.0.12 & Greater
* 11.38.2.11 & Greater
* 11.36.2.8 & Greater
* 11.34.2.7 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 13 vulnerabilities in cPanel & WHM software versions 11.40, 11.38, 11.36, and 11.34.

Additional information is scheduled for release on October 26, 2013.

For information on cPanel & WHM Versions and the Release Process, read our documentation at:
http://go.cpanel.net/versionformat

For the PGP signed message, go here.

Posted in News, Release Announcements, Security | Tagged:

cPanel to Exhibit at HostingCon 2014

cPanel is excited to be exhibiting at HostingCon 2014, June 16 – 18, in Miami Beach, FL.

This conference allows cPanel to stay connected to our partners and friends, while also giving us the opportunity to form new connections during the conference.

Stop by booth #211 to meet the cPanel staff and find out what’s new and exciting with cPanel.

HostingCon is the premier conference and trade show for the hosted services industry.

Posted in Events

11.40 Now in CURRENT Tier

10/10/2013
Houston, TX -

As previously announced in our cPanel & WHM 11.40 Webinar and at cPanel Conference 2013, cPanel, Inc. is thrilled to release cPanel & WHM software version 11.40, which is now available in the CURRENT tier.

cPanel & WHM version 11.40 offers support for IPv6 and 1:1 NAT, an API Shell, and more.

IPv6 Support
cPanel & WHM is now IPv6-enabled with dual-stack support, allowing customers to add IPv6 or IPv4 to any account. This feature prepares our customers for future demand.

1:1 NAT Support
cPanel & WHM version 11.40 provides 1:1 NAT, giving customers the ability to support a broader range of hosting environments.

API Shell
In 11.40, cPanel & WHM includes an API Shell, enabling customers to run and troubleshoot API calls interactively through the cPanel & WHM user interfaces. This feature helps our customers better understand API calls.

Detailed information on all cPanel & WHM version 11.40 features can be found at http://docs.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists.

Posted in News, Press Releases, Release Announcements | Tagged: , , ,
Page 4 of 28« First...23456...1020...Last »