cPanel TSR-2014-2004 Full Disclosure

[Administrator]

TSR-2014-0004 Full Disclosure

Case 78301

Summary

Correct patch for CVE-2002-1575 in cgiemail.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

cPanel & WHM includes a copy of Bruce Lewis’ cgiemail version 1.6. This version of cgiemail was vulnerable to CVE-2002-1575, allowing remote unauthenticated attackers to send email using the cgiemail script to destination addresses of the attackers’ choosing.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 92733

Summary

Session file name disclosure via SafeFile command line rewriting.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The SafeFile functionality of cPanel provides for safe file locking and opening. When attempting to obtain a lock on a file, the executable name ($0) was set to include the target file name for debugging purposes. This exposed potentially sensitive session information.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 92745

Summary

Private SSH key passwords disclosed during key generation and import.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The cPanel & WHM API1 and API2 calls that imported, generated, and converted SSH keys using the ssh-keygen binary supplied the password for the private key using command line arguments. This revealed the private password to other accounts on the system while ssh-keygen was executing.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 93017

Summary

Arbitrary Code Execution via WHM Thirdparty Service Calls.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The WHM /scripts2/showservice and /scripts2/saveservice URLs took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, a malicious authenticated reseller could execute arbitrary code as root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 93021

Summary

Arbitrary code execution via Cpanel::Thirdparty::serviceinfo API call.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The Cpanel::Thirdparty::serviceinfo API1 call took a module name from the user and attempted to load it via an unsafe string eval. Using a carefully crafted module name, an authenticated cPanel user could execute arbitrary code, potentially bypassing other restrictions placed on the account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 93269

Summary

Transfer CGI scripts allow downloads of a cPanel account.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The WHM ‘Copy an Account From Another Server With an Account Password’ functionality will first attempt to use XML-API calls to generate and download a backup of the remote account. Should this call fail, a fallback method using FTP and HTTP will be attempted. Under some circumstances, the CGI scripts utilized by this fallback method would remain installed on the account after the transfer was complete, potentially allowing remote attackers to download a copy of the transferred account.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.1.16
11.40.1.14

Case 94077

Summary

Denial of service via Boxtrapper cgi-sys script.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The Boxtrapper bxd.cgi script used to confirm an email for delivery did not properly validate the account parameter passed to it by the user. By injecting null values into this parameter, an unauthenticated attacker could trigger an infinite loop in the script, potentially exhausting server resources.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 95617

Summary

Arbitrary database access via cpmysqladmin ADDDBPRIVS command.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The cpmysqladmin ‘ADDDBPRIVS’ command allowed cPanel users to add read and write privileges to a database. Ownership of the specified database was not properly validated during this process, allowing the user to read and write any database on the system.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.1.16
11.40.1.14

Case 96301

Summary

Arbitrary permissions change via fixsuexeccgiscripts script.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The fixsuexeccgiscripts script run during the nightly UPCP process on cPanel & WHM systems scanned Apache’s suexec_log for indications of misconfigured CGI scripts. Scripts that generated errors were automatically set to 0755 permissions. The functionality that changed permissions on defective scripts performed insufficient validation of the targets, allowing a local attacker to set any file on the system to 0755 permissions.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 96381

Summary

Arbitrary file ownership change via chownpublichtmls script.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

The chownpublichtmls script is intended to correct the ownership on users’ public_html directories. This script used an obsolete version of the safe_recchmod() function that was vulnerable to a race condition attack. This could allow a local attacker change the ownership of arbitrary files.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 96541

Summary

Arbitrary code execution as root via WHM “Check and Repair a Perl Script”.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The Check and Repair Perl Script functionality of WHM was vulnerable to a Time-of-check/Time-of-use attack. The UID this functionality would execute under was determined by a simple stat of the target file, followed by the execution of the script using “perl -c”. A local attacker could leverage this flaw to execute arbitrary code as root when this interface was used on a script under the attacker’s control.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 96697

Summary

Arbitrary permissions change via multiple scripts.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Obsolete versions of several functions provided by the Cpanel::SafetyBits module were duplicated inside the safetybits.pl script and used in several command line scripts provided with cPanel & WHM. The obsolete versions of these functions allowed a local attacker to change the permissions on arbitrary files under some circumstances.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 97289

Summary

Bypass of local zone ownership restrictions via DNS clustering commands.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The DNS clustering commands allow for DNS zones to be synced across a cluster. When a zone is owned by a local user, these commands restrict modification of the zone to the reseller account that owns the zone and reseller accounts with the “All” ACL. This functionality was subject to several flaws that allowed an authenticated attacker with the “Clustering” ACL to modify zones belonging to other resellers on the system.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 97293

Summary

Miscategorization of DNS Clustering ACL.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The “Clustering” ACL in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the “Standard Privileges” grouping. This ACL should be listed under the “Super Privileges” grouping since the ACL is intended for sensitive DNS clustering configuration and synchronization operations that bypass many restrictions on DNS zone modifications.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 97737

Summary

Arbitrary YAML file read via Configure Customer Contact.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The WHM Configure Customer Contact interface allows a reseller to set contact information visible by their users. The YAML file containing this information is inside the reseller’s home directory and was read with the effective UID of root. By manipulating this file, an authenticated reseller could read the contents of arbitrary YAML files on the system.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 97841

Summary

Mailman list password disclosed to local users during password change.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.

Description

Mailman’s change_pw script takes the password as a command line argument. When changing a mailing list’s password, the new password was leaked to other users logged into the system via command line arguments.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Case 98121

Summary

Miscategorization of Locales ACL.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

The “local-edit” ACL listed in the WHM Edit Reseller Nameservers and Privileges interface was miscategorized under the “Global Privileges” grouping. This ACL should be listed under the “Super Privileges” grouping since the ACL allows the reseller to control the display of translations, including embedded HTML, in all cPanel & WHM interfaces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.43.0.12
11.42.1.16
11.40.1.14

Multiple Cases (35)

Summary

Multiple XSS vulnerabilities in various interfaces.

Description

Output filtering errors in several different interfaces allowed JavaScript inputs to be returned to the browser without proper filtering. The affected interfaces are listed below.

Case: 90761
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/ftp/accounts.html, /frontend/paper_lantern/ftp/accounts.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Mateusz Goik

Case: 93117
Security Rating: Moderate
XSS Type: Reflected
Interface: cPanel
URLs: /cgi-sys/guestbook.cgi
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 93141
Security Rating: Moderate
XSS Type: Reflected
Interface: Entropy Chat
URLs: /
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 93641
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/paper_lantern/mail/auto_responder.tt, /frontend/x3/mail/auto_responder.tt
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 93965
Security Rating: Minor
XSS Type: Self-stored
Interface: cPanel
URLs: /frontend/x3/filemanager/index.html, /frontend/paper_lantern/filemanager/index.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 93985
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/addoncgi/cpaddons.html, /frontend/paper_lantern/addoncgi/cpaddons.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 94081
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts4/listaccts
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911

Case: 94741
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/spam/addspamfilter.html, /frontend/paper_lantern/mail/spam/addspamfilter.html
Affected Releases: 11.43.0, 11.42.1
Reporter: cPanel Security Team

Case: 94745
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mail/filters/delfilter.html, /frontend/x3/mail/filters/delfilter.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 94773
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/addon/index.html, /frontend/x3/denyip/index.html, /frontend/x3/ftp/accounts.html, /frontend/x3/mail/archive.html, /frontend/x3/mail/autores.html, /frontend/x3/mail/boxtrapper.html, /frontend/x3/mail/filters/managefilters.html, /frontend/x3/mail/fwds.html, /frontend/x3/mail/lists.html, /frontend/x3/park/index.html, /frontend/x3/psql/index.html, /frontend/x3/sql/index.html, /frontend/x3/subdomain/index.html, /frontend/paper_lantern/addon/index.html, /frontend/paper_lantern/denyip/index.html, /frontend/paper_lantern/ftp/accounts.html, /frontend/paper_lantern/mail/archive.html, /frontend/paper_lantern/mail/autores.html, /frontend/paper_lantern/mail/boxtrapper.html, /frontend/paper_lantern/mail/filters/managefilters.html, /frontend/paper_lantern/mail/fwds.html, /frontend/paper_lantern/mail/lists.html, /frontend/paper_lantern/park/index.html, /frontend/paper_lantern/psql/index.html, /frontend/paper_lantern/sql/index.html, /frontend/paper_lantern/subdomain/index.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 94793
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/conf.html, /frontend/paper_lantern/mail/conf.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 94825
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/mail/dodelpop.html, /frontend/paper_lantern/mail/dodelpop.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 94929
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mime/addredirect.html
Affected Releases: 11.43.0, 11.42.1
Reporter: cPanel Security Team

Case: 94937
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/sql/wizard4.html, /frontend/x3/sql/wizard4.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 95577
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/denyip/delconfirm.html, /frontend/paper_lantern/denyip/delconfirm.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 95805
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/ftp/dologoutftpconfirm.html, /frontend/x3/ftp/dologoutftpconfirm.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96017
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/paper_lantern/mime/delredirect.html, /frontend/x3/mime/delredirect.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96021
Security Rating: Moderate
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/clamavconnector/scanner.html, /frontend/x3/clamavconnector/live_disinfect.html, /frontend/x3/clamavconnector/disinfect.html, /frontend/paper_lantern/clamavconnector/scanner.html, /frontend/paper_lantern/clamavconnector/live_disinfect.html, /frontend/paper_lantern/clamavconnector/disinfect.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96201
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/doresetresellers
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96209
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/domultikill
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96245
Security Rating: Minor
XSS Type: Self-stored
Interface: WHM
URLs: /cgi/statmanager.cgi
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911

Case: 96385
Security Rating: Important
XSS Type: Stored
Interface: cPanel
URLs: /frontend/x3/ftp/session.html, /frontend/paper_lantern/ftp/session.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911

Case: 96485
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts5/showacctcopylog
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911

Case: 96505
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts/rescart
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96509
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts/repairmysql
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96521
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts/doresmailman
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96525
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts2/convertmaildir
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96545
Security Rating: Minor
XSS Type: Self
Interface: WHM
URLs: /scripts2/doeditzonetemplate
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 96637
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /cgi/trustclustermaster.cgi
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: Rack911

Case: 96801
Security Rating: Important
XSS Type: Stored
Interface: WHM
URLs: /scripts/doconfiguremailserver
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 99213
Security Rating: Minor
XSS Type: Stored
Interface: WHM
URLs: /scripts5/setupremotemysqlhost
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 99309
Security Rating: Moderate
XSS Type: Stored
Interface: WHM
URLs: /scripts2/editzonetemplate
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 99365
Security Rating: Minor
XSS Type: Self-stored
Interface: WHM
URLs: /scripts5/copy_account_input
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 99377
Security Rating: Minor
XSS Type: Self-stored
Interface: WHM
URLs: /scripts5/remotemysqlhost
Affected Releases: 11.42.1, 11.40.1
Reporter: cPanel Security Team

Case: 99957
Security Rating: Minor
XSS Type: Self
Interface: cPanel
URLs: /frontend/x3/cgi/modify.html
Affected Releases: 11.43.0, 11.42.1, 11.40.1
Reporter: cPanel Security Team

cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize any self-XSS vulnerabilities must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.

Credits

These issues were discovered by the respective reporters listed above.

Solution

These issues are resolved in the following builds:

11.43.0.12
11.42.1.16
11.40.1.14

For the PGP-signed message, see http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-FullDisclosure.txt

View the full article