Case 84385
Summary
Arbitrary code execution as cpanel-horde user via cache file poisioning.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The Horde Webmail interfaces accessible to cPanel and Webmail accounts uses PHP serialized cache files to speed up some backend operations. By default these cache files were stored in the world-writable /tmp directory with predictable names. A malicious local attacker could pre-create the cache files inside /tmp, potentially leading to arbitrary code execution as the cpanel-horde user.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 86341
Summary
Arbitrary file read as root during cPanel account creation for ACL limited resellers.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
An ACL limited reseller could send crafted inputs to WHM’s account creation functionality to combine multiple path traversal attacks in the package extensions subsystem. This flaw would store the contents of the destination file into the new account’s cpuser file.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
Case 86381
Summary
Disclosure of root’s accesshash to ACL limited resellers via WHM xml-api.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
Reseller accounts, regardless of their ACLs, were able to retrieve and alter root’s accesshash credentials via the get_remote_access_hash XML-API command by supplying empty user and password arguments.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 86453
Summary
Injection of arbitrary settings into cpuser files via account creation.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The WHM /scripts5/wwwacctform interface allowed the injection of newlines into the ‘locale’ and ‘cpmod’ parameters. These injections could be used to set values in the newly created account’s cpuser file that were not permissible with a reseller’s ACL restrictions.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 86461
Summary
Overwriting of trusted inputs to third party hooks scripts.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
An ACL limited reseller could provide additional form inputs to WHM’s create and modify account interfaces containing null bytes in the parameter name. When these inputs were passed on to third party hook scripts though an exec() call, the additional parameters would be truncated to match parameter names that are normally anchored in trust for the third party hook scripts.
Third party hook scripts are provided the raw inputs to the functions they extend and are responsible for validating these inputs. Since null bytes do not transfer through the hook script interface correctly, any form parameter names submitted with null bytes will now result in an error.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 86857
Summary
Limited arbitrary file overwrite for ACL limited resellers via domain parking.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The owner parameter to the WHM /scripts/park interface was not correctly validated. By injecting a path traversal attack into this parameter, reseller accounts with the ‘park-dns’ ACL could overwrite arbitrary files on the system with a Perl storable file with predictable contents.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 87317
Summary
Arbitrary code execution as root for ACL limited resellers via cluster configuration interfaces.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
Resellers with the ‘clustering’ ACL could inject data using newlines and NUL bytes into the form parameters of the cluster configuration interfaces. This flaw could then be leveraged to execute arbitrary code as root via string eval()s in various other interfaces.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 87433
Summary
Injection of arbitrary settings into cpuser files via mxcheck setting.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
The WHM /script2/savemx and /cgi/zoneeditor.cgi interfaces allowed resellers with the “edit-mx” or “edit-dns” ACLs to modify the mxcheck setting for accounts under their control. By injecting newlines into this setting, a malicious reseller could alter other settings for the account that are stored in the account’s cpuser file.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 87437
Summary
ACL limited resellers allowed to disable digest authentication for arbitrary accounts.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
Due to a lack of ACL enforcement, an ACL limited reseller could disable digest authentication for any account on the system using WHM’s XML-API. The ACL protections for this functionality have been updated to require that ACL limited resellers own any accounts they modify in this fashion.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 87625
Summary
ACL limited resellers allowed to restore backups for the accounts they control.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
The WHM XML-API allowed all resellers to restore backups for any accounts they own. The equivalent functionality in WHM’s HTML interfaces restricted the ability to restore accounts from backups to resellers with the “all” ACL.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 88061
Summary
Mis-assignment of IP addresses for ACL limited resellers via createacct.
Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.
Description
With certain combinations of IP delegations and free IP address space, reseller accounts with the ‘add-pkg-ip’ ACL could install new accounts onto IP addresses delegated to another reseller. This might allow a malicious reseller account to capture web traffic intended for other accounts on the system.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Case 88341
Summary
Arbitrary code execution for ACL limited resellers during account creation.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
A flaw in the new account creation process resulted in the Ruby ‘gem’ command running with the effective UID of the newly created user and the real UID of root. A malicious reseller account could leverage this flaw to execute arbitrary Ruby code with root’s UID during the account creation process.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
Multiple Cases (55)
Summary
Multiple XSS vulnerabilities in various interfaces.
Description
Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.
Case: 84633
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/htaccess/deluser.html, /frontend/x3/indexmanager/changepro.html, /frontend/x3/indexmanager/dohtaccess.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 84877
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts3/initial_setup_wizard4
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew
Case: 84881
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/mail/def.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew
Case: 84885
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /x3/mail/filters/editfilter.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Matthew
Case: 84893
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/conf.html, /frontend/x3/mail/saveconf.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew
Case: 84897
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/stats/detailsubbw.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew
Case: 84901
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/cpanelpro/filelist-thumbs.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Christy Philip Mathew
Case: 85029
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/csvimport.html, /frontend/x3/mail/csvimport-step2.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Shubham Mittal
Case: 85133
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/filemanager/editit.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Shubham Mittal
Case: 85177
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cgi/Clock/docode.html, /frontend/x3/cgi/Countdown/docode.htm, /frontend/x3/cgi/Counter/docode.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Paweł Hałdrzyński
Case: 85229
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/psql/deldb.html, /frontend/x3/psql/deldb.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 85249
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/psql/addusertodb.html, /frontend/x3/psql/addusertodb.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 85273
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mime/addhotlink.html
Affected Releases: 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 85457
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/editmsgs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ankit Mittal
Case: 85461
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/showq.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ankit Mittal
Case: 85589
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts2/dotweaksettings
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Ernesto Martin
Case: 85977
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/addpkg2
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Olivier Beg
Case: 85985
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts2/edit_sourceipcheck, /x3/security/security-questions.html, /paper_lantern/security/security-questions.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: Olivier Beg
Case: 86329
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts/doeditmx
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 87081
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mime/add_redirect.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: SimranJeet Singh
Case: 87417
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/err/erredit.html, /frontend/x3/filemanager/editit.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: SimranJeet Singh
Case: 87457
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /cgi/cpaddons_feature.pl
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88093
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/fullbackup.html, /frontend/x3/backup/wizard-fullbackup.html, /frontend/paper_lantern/backup/fullbackup.html, /frontend/paper_lantern/backup/wizard-fullbackup.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88097
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/doupload.html, /frontend/paper_lantern/backup/doupload.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88129
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/dosqlupload.html, /frontend/paper_lantern/backup/dosqlupload.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88133
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/doafupload.html, /frontend/paper_lantern/backup/doafupload.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88137
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/backup/wizard-dofullbackup.html, /frontend/x3/backup/dofullbackup.html, /frontend/paper_lantern/backup/wizard-dofullbackup.html, /frontend/paper_lantern/backup/dofullbackup.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88141
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/denyip/add.html, /frontend/x3/denyip/add.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88145
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/denyip/del.html, /frontend/x3/denyip/del.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88149
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/denyip/index.html, /frontend/x3/denyip/index.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88153
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/filelist-convert.html, /frontend/paper_lantern/cpanelpro/filelist-scale.html, /frontend/paper_lantern/cpanelpro/filelist-thumbs.html, /frontend/x3/cpanelpro/filelist-convert.html, /frontend/x3/cpanelpro/filelist-scale.html, /frontend/x3/cpanelpro/filelist-thumbs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88157
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/files/savefile.html, /frontend/paper_lantern/files/savefile.html, /frontend/x3/files/savefile.html, /frontend/x3/files/savefile.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88165
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/files/extractfile.html, /frontend/paper_lantern/files/extractfile.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88173
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/files/showfile.html, /frontend/x3/files/showfile.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88181
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/fp/addfp.html, /frontend/paper_lantern/fp/delfp.html, /frontend/x3/fp/addfp.html, /frontend/x3/fp/delfp.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88209
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/htaccess/leechprotect/dohtaccess.html, /frontend/paper_lantern/htaccess/leechprotect/doleech.html, /frontend/x3/htaccess/leechprotect/dohtaccess.html, /frontend/x3/htaccess/leechprotect/doleech.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88213
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/net/dnslook.html, /frontend/x3/net/dnslook.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88229
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/park/dodelparked.html, /frontend/x3/park/dodelparked.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88253
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/psql/deluserfromdb.html, /frontend/x3/psql/deluserfromdb.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88257
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/stats/analog.html, /frontend/x3/stats/analog.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88261
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/addon/saveredirect.html, /frontend/x3/addon/saveredirect.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88265
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/subdomain/doadddomain.html, /frontend/x3/subdomain/doadddomain.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88269
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/addoncgi/cpaddons.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88277
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/sql/PhpMyAdmin.html, /frontend/paper_lantern/backup/index.html, /frontend/x3/sql/PhpMyAdmin.html, /frontend/x3/backup/index.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88281
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/queuesearch.html, /frontend/x3/mail/queuesearch.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88285
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/changestatus.html, /frontend/x3/cpanelpro/changestatus.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88289
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/editmsg.html, /frontend/x3/mail/editmsg.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88293
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/editmsgs.html, /frontend/x3/cpanelpro/editmsgs.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88297
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/msgaction.html, /frontend/x3/cpanelpro/msgaction.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88301
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/resetmsg.html, /frontend/x3/mail/resetmsg.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88305
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/paper_lantern/mail/conf.html, /frontend/x3/mail/conf.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88309
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/showlog.html, /frontend/x3/mail/showlog.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88313
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/showmsg.html, /frontend/x3/mail/showmsg.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88321
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/cpanelpro/editlists.html, /frontend/x3/cpanelpro/editlists.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
Case: 88325
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/conf.html, /frontend/x3/mail/conf.html
Affected Releases: 11.42.0, 11.40.1, 11.38.2
Reporter: cPanel Security Team
cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.
Credits
These issues were discovered by the respective reporters listed above.
Solution
These issues are resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16
For the PGP-signed message, see TSR-2014-0001-Full-Disclosure.