TSR Update

The following disclosure covers the Targeted Security Release 2013-06-05. Each vulnerability is assigned an internal case number which is reflected below.

Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels

Case 68189

Summary

An arbitrary files read and unlink vulnerability in cPanel, WHM, and Webmail.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

When logged into the cPanel, WHM, or Webmail interfaces an attacker could supply crafted query parameters that appear to be file uploads with unusual paths. In some subsystems, these invalid file upload parameters allowed viewing or deleting the file at the target path.
This vulnerability was discovered by the cPanel Security Team.
Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68213

Summary

Self-XSS vulnerabilities in cPanel and WHM interfaces.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

Output filtering errors in the WHM Remote Nameserver interface and the cPanel FTP Management interface allowed JavaScript inputs to be returned to the browser without proper filtering.
cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize this vulnerability must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.
This vulnerability was discovered by Wong Chieh Yie (@wcypierrenet).

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68433

Summary

An XSS vulnerability in EntropyChat.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

EntropyChat is a web-based chat server available on cPanel & WHM systems. Output filtering errors in the EntropyChat server allowed one participant in a chat channel to send JavaScript payloads to other active participants in the chat channel.
This vulnerability was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68645

Summary

An SQL injection vulnerability in cpmysqladmin.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Insufficient escaping of the user input parameter to multiple cpmysqladmin commands allowed a local attacker to execute arbitrary SQL commands with the MySQL access level of the root user.
This vulnerability was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68733

Summary

A WHM arbitrary file read via brandingimg.cgi.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

An authenticated WHM reseller with limited ACLs could read the contents of arbitrary files on the system by supplying crafted query parameters to brandingimg.cgi. The file read is performed with the effective UID and GID of the reseller. This vulnerability revealed sensitive data only when the reseller had extremely limited access to the local filesystem outside of the WHM interface.
This vulnerability was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68965

Summary

Reseller ACL checks were missing from multiple WHM interfaces.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

When creating a reseller account in WHM, the system administrator may limit the WHM functionality that is available to the reseller using the WHM ACL system. Multiple interfaces in WHM were found to lack explicit enforcement of the appropriate reseller ACLs for the functionality they provided. This allowed resellers without appropriate ACLs to enter translated phrases, access disk usage information, view email delivery data, and check for the existence of MySQL users.
The missing ACL checks in the translation system were discovered by Rack911.
The remaining missing ACL checks were discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

For the PGP Signed Version, please go here.

Posted in: Security | Tagged: , ,