Newsroom

TSR 2013-0011 Full Disclosure

Case 60890

Summary

A reseller with limited privileges is allowed to install SSL virtualhosts on arbitrary IPs.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

A reseller account with ACL permission to install SSL certificates could install certificates and matching virtualhosts on IP addresses that belonged to accounts that did not belong to the reseller. This would allow a malicious reseller account to capture web traffic intended for other accounts on the system.

Credits

These issues were discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.36.2.10 & Greater

The 11.38 and 11.40 releases of cPanel were not vulnerable to this issue due to unrelated changes in the SSL certificate management logic of cPanel & WHM.

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/


Case 63541

Summary

Arbitrary code execution via user supplied translatable phrases.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Authenticated remote cPanel, WHM, and Webmail users have the ability to call API commands appropriate for their access level. Many API commands expand input arguments looking for translatable strings and other variable substitutions. It was found that the Locale::Maketext module, as used in cPanel’s translation system, allowed callers to specify a custom failure handler via a crafted translation. A malicious authenticated user could leverage this flaw to execute arbitrary code with permissions that exceeded their normal access level.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 69517

Summary

World-writable Counter directory allowed arbitrary code execution.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

An unnecessary directory at /usr/local/cpanel/share/Counter, installed by the wwwcount RPM provided with cPanel, retained world-writable permissions on some systems. The location of this directory inside of cPanel & WHM’s trusted paths allowed a local attacker to load arbitrary code into cPanel processes under some circumstances.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 71125

Summary

Arbitrary file ownership change via cPanel branding system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

A bug in the sprite generation code for the branding subsystem changed the ownership of files in paths under the reseller’s control to the reseller’s UID. The change in ownership was performed automatically during the nightly updates while running with the effective UID and GID of root. A malicious reseller account could leverage this flaw to take control of arbitrary files on the system.

Credits

These issues were discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.2.13 & Greater

The 11.36 and 11.40 releases of cPanel were not vulnerable to this issue. The vulnerable functionality was introduced in cPanel & WHM’s 11.38 release and fixed due to unrelated changes in the original releases of 11.40.

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 73125

Summary

After multiple security token failures, session credentials were not invalidated.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The security tokens used to prevent XSRF (Cross-Site Request Forgery) attacks were vulnerable to brute-force attempts due to a failure to limit the number of invalid token attempts. An attacker who could make a very large number of XSRF attempts could use this flaw in an attempt to brute force the security token.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 73193

Summary

Unsafe disclosure of security token during session based login.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The URL used to perform logins could return a valid security token with only a valid session identifier supplied instead of a username and password. An attacker with the ability to capture a valid session identifier could use this flaw to acquire a new, valid security token that could be used to authenticate with the captured credentials. Such an attack would additionally invalidate the existing token for that session.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 74333

Summary

The session credentials were disclosed during reseller override logins.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The session cookie used by a reseller during a reseller override login to a cPanel account was disclosed to the cPanel account via the HTTP_COOKIE environment variable. A malicious local cPanel user could leverage this vulnerability to enter WHM using the reseller’s captured credentials.

Credits

These issues were discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.2.13 & Greater
11.36.2.10 & Greater

The 11.40 release of cPanel was not vulnerable to this issue. The vulnerable functionality was fixed due to unrelated changes in the original releases of 11.40.

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 78045

Summary

Stored XSS vulnerability in WHM Daily Process Log screen.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Output filtering in the WHM Daily Process Log interface did not properly sanitize the names of processes that caused high CPU load. A local attacker could create a process with a high load and a name containing malicious JavaScript intended to execute in the browser of any WHM account that viewed the daily process summary.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 78089

Summary

Password disclosure during forced cPAddons upgrade.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

A root or reseller account performing an upgrade of a cPanel account’s cPAddons Site Software installations directly from WHM disclosed the REMOTE_PASSWORD environmental variable to the cPanel account under some circumstances. The variable was only disclosed when the “cgihidepass” TweakSetting was disabled on the server. By default, this TweakSetting is enabled.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 79277

Summary

Arbitrary file read vulnerability in WHM Edit DNS Zone interface.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The WHM Edit DNS Zone interface allowed parts of arbitrary files to be read through the error message produced when an $include DNS zone directive led to an invalidly-formatted file. With a specially crafted DNS zone entry, resellers with the “edit-dns” ACL could read parts of the contents of files accessible only to root from the output of that error message.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 80113

Summary

cPHulk injection via crafted SSH connections.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

cPHulk, a service for preventing brute-force authentication attempts, was vulnerable to a protocol injection attack via specially crafted usernames during SSH authentication. This flaw would allow a remote unauthenticated attacker to block or unblock arbitrary IP addresses and accounts from connecting to all cPHulk-managed services on the system.

Credits

This issue was discovered by an anonymous researcher.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 80633

Summary

Arbitrary file write via X3 countedit.cgi.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

An obsolete version of the countedit.cgi script inside the cPanel X3 theme directory contained a path traversal vulnerability allowing arbitrary files to be written. This script was only executable by cPanel accounts that were configured to use a theme other than X3 or by cPanel accounts configured to use the X3 theme after a clone of the X3 theme was created by the system administrator. The obsolete copies of countedit.cgi and count.cgi inside the X3 theme directory have been removed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Cases 81373

Summary

Bandmin passwd file stored with world-readable permissions.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The permissions of the Bandmin password file were set to 0644 by default. This allowed any user on the system to read the username and hashed password required to view Bandmin’s stored log data. The password stored in this file was encoded with DES-crypt.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 81377

Summary

Multiple XSS vulnerabilities found in Bandmin.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Multiple output filtering errors in the Bandmin bandwidth log viewer interface allowed JavaScript inputs to be returned to the browser without proper filtering. An attacker who could cause a user with permission to view bandwidth logs to visit a specially crafted URL could execute arbitrary JavaScript code in that user’s browser.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 81429

Summary

URL filtering flaws allowed access to restricted resources.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Flaws in the path resolution of URLs supplied to cpsrvd with HTTP requests allowed the bypassing of URL based access control checks in the cPanel, WHM, and Webmail interfaces. This allowed, for example, an attacker with credentials for a Webmail virtual account to access phpMyAdmin and phpPgAdmin with the privileges of the cPanel account that owned the Webmail account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 81641

Summary

Path traversal flaw allows arbitrary code execution for restricted cPanel accounts.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Due to an incorrect ordering of input filters, the UI::dynamicincludelist and UI::includelist cPanel API 2 calls were vulnerable to a path traversal attack. A restricted cPanel account could leverage this flaw to read files or execute arbitrary code that other account restrictions, such as JailShell or demo mode, would normally prevent.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 81885

Summary

Multiple self-XSS vulnerabilities found in cPanel.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

Output filtering errors in the Manage Redirection functionality for Addon Domains and Subdomains, as well as the GnuPG Keys interfaces allowed JavaScript inputs to be returned to the browser without proper filtering.

cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize this vulnerability must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

Credits

These issues were discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 82309

Summary

Insecure storage of Logaholic session files was found.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Logaholic session files were stored in the world-writable /tmp directory. A local attacker with access to the cPanel Logaholic interfaces could create a session file in this directory with a crafted payload intended to execute arbitrary code as the cpanel-logaholic user as the session was loaded by the Logaholic interfaces inside cPanel. Logaholic now uses a non-world-writable directory for session data, and as a precaution, database caching.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 82725

Summary

XSS vulnerability found in YUI 2.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The uploader.swf file in YUI 2, which is included with cPanel & WHM, is vulnerable to an XSS attack due to insufficient filtering of inputs. This attack has been assigned CVE-2013-6780. All Flash files have been removed from the copy of YUI 2 shipped with cPanel & WHM, as they are unneeded. These files were accessible in the cPanel, WHM, and Webmail interfaces.

Credits

This issue was discovered upstream by a security researcher called @soiaxx.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 82733

Summary

Database grant files stored with world-readable permissions.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Changes to the functionality that stores data and cache files resulted in cPanel & WHM’s files for storing database grants becoming world-readable. This flaw allowed all accounts on the system to access the MySQL and PostgreSQL grant statements for other cPanel users on the system. These grant statements contained MySQL and PostgreSQL usernames and hashed passwords.
Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater

The 11.36 release of cPanel was not vulnerable to this issue.

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 83501

Summary

Disallow g in MySQL GRANT statements during account restores.

Security Rating

cPanel has not assigned a Security Level to this issue.

Description

g has been added to the list of disallowed strings for MySQL grant restores. We would like to stress that this does not make restoration of packages from untrusted sources safe.
Credits

This issue was reported by Rack911.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

Case 83929

Summary

A cross-account XSRF attack against reseller override logins was possible via goto_uri.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Reseller accounts that log into the cPanel accounts they own using resellers override authentication have the ability to switch back to WHM or switch to the cPanel interfaces for other cPanel accounts they own. This functionality goes through special /xfer URLs inside cpsrvd. The /xfer URLs also permit specifying an optional destination URL on the other side of the switch between accounts and interfaces though a “goto_uri” query parameter. A malicious cPanel user could conduct XSRF attacks against a reseller logged into their account to combine an /xfer to a different account with a goto_uri destination that caused configuration changes inside the other account. This vulnerability has been addressed by limiting use of the goto_uri parameter to account and interface switches where privileges are being lowered.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.3 & Greater
11.40.0.29 & Greater
11.38.2.13 & Greater
11.36.2.10 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

For the PGP-signed message, see TSR-2013-0011-FullDisclosure.