The following disclosure covers the Targeted Security Release 2013-06-05. Each vulnerability is assigned an internal case number which is reflected below.
Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels
Case 68189
Summary
An arbitrary files read and unlink vulnerability in cPanel, WHM, and Webmail.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
When logged into the cPanel, WHM, or Webmail interfaces an attacker could supply crafted query parameters that appear to be file uploads with unusual paths. In some subsystems, these invalid file upload parameters allowed viewing or deleting the file at the target path.
This vulnerability was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
Case 68213
Summary
Self-XSS vulnerabilities in cPanel and WHM interfaces.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
Output filtering errors in the WHM Remote Nameserver interface and the cPanel FTP Management interface allowed JavaScript inputs to be returned to the browser without proper filtering.
cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize this vulnerability must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.
This vulnerability was discovered by Wong Chieh Yie (@wcypierrenet).
Solution
This issue is resolved in the following builds:
11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
Case 68433
Summary
An XSS vulnerability in EntropyChat.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
EntropyChat is a web-based chat server available on cPanel & WHM systems. Output filtering errors in the EntropyChat server allowed one participant in a chat channel to send JavaScript payloads to other active participants in the chat channel.
This vulnerability was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
Case 68645
Summary
An SQL injection vulnerability in cpmysqladmin.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
Insufficient escaping of the user input parameter to multiple cpmysqladmin commands allowed a local attacker to execute arbitrary SQL commands with the MySQL access level of the root user.
This vulnerability was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
Case 68733
Summary
A WHM arbitrary file read via brandingimg.cgi.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
An authenticated WHM reseller with limited ACLs could read the contents of arbitrary files on the system by supplying crafted query parameters to brandingimg.cgi. The file read is performed with the effective UID and GID of the reseller. This vulnerability revealed sensitive data only when the reseller had extremely limited access to the local filesystem outside of the WHM interface.
This vulnerability was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
Case 68965
Summary
Reseller ACL checks were missing from multiple WHM interfaces.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
When creating a reseller account in WHM, the system administrator may limit the WHM functionality that is available to the reseller using the WHM ACL system. Multiple interfaces in WHM were found to lack explicit enforcement of the appropriate reseller ACLs for the functionality they provided. This allowed resellers without appropriate ACLs to enter translated phrases, access disk usage information, view email delivery data, and check for the existence of MySQL users.
The missing ACL checks in the translation system were discovered by Rack911.
The remaining missing ACL checks were discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
For the PGP Signed Version, please go here.