cPanel Multiple Vulnerabilities
Release Date : 2013-12-20
Criticality level : Moderately critical
Impact : Security Bypass
Cross Site Scripting
Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status: Vendor Patch
Software: cPanel 11.x
Multiple security issues and vulnerabilities have been reported in cPanel, which can be exploited by malicious, local users to disclose sensitive information and gain escalated privileges, by malicious users to manipulate certain data and bypass certain security restrictions, and by malicious people to conduct cross-site scripting attacks.
1) An error when handling the installation of SSL certificates can be exploited to install SSL virtual hosts on otherwise restricted IPs and subsequently intercept mail traffic for another account.
Successful exploitation of this vulnerability requires a reseller account with ACL permission to install SSL certificates.
This vulnerability is reported in versions prior to 184.108.40.206.
2) An error when handling translatable phrases related to API commands can be exploited to specify custom failure handlers and subsequently execute arbitrary code with elevated privileges.
Successful exploitation requires a cPanel, WHM, or Webmail user account.
3) The application creates the /usr/local/cpanel/share/Counter directory with insecure world-writable permissions, which can be exploited to load and execute arbitrary code with elevated privileges via cPanel processes.
4) An error within the sprite generation code for the branding subsystem can be exploited to gain ownership of arbitrary files on the system.
Successful exploitation of this vulnerability requires a reseller account.
This vulnerability is reported in versions prior to 220.127.116.11.
5) The application does not properly restrict access to countedit.cgi in the cPanel X3 theme directory, which can be exploited to write arbitrary files via directory traversal attacks.
Successful exploitation of this vulnerability requires a cPanel account configured to use a theme other than X3 or configured to use the X3 theme after a clone of the X3 theme was created by the system administrator.
6) The application stores the DES encrypted Bandmin password in a file with insecure world-readable permissions, which can be exploited to gain knowledge of the password and subsequently disclose Bandmin related stored log data.
7) Certain input related to the Bandmin bandwidth log viewer interface is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
8) An error related to URL path resolution of HTTP requests to the cPanel, WHM, and Webmail interfaces can be exploited to bypass URL-based access control checks and access e.g. phpMyAdmin and phpPgAdmin with the privileges of the cPanel account owning the Webmail account.
Successful exploitation of this vulnerability requires e.g. Webmail virtual account privileges.
9) An error when handling certain input filters during UI::dynamicincludelist and UI::includelist cPanel API 2 calls can be exploited to bypass certain cPanel account restrictions and subsequently read certain files and execute arbitrary code.
10) The application stores the Logaholic session files within the insecure world-writable tmp directory, which can be exploited to execute arbitrary code with the privileges of the cpanel-logaholic user by creating a specially crafted session file.
Successful exploitation of this security issue requires access to the cPanel Logaholic interfaces and local access.
11) The application bundles a vulnerable version of YUI 2.
The security issues and vulnerabilities #1 through #3 and #5 through 11 are reported in versions prior to 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52.
12) An error within the store data and cache files functionality leads to certain files containing database grants within the /var/cpanel/databases directory becoming world-readable, which can be exploited to e.g. gain knowledge of MySQL and PostgreSQL credentials.
This security issue is reported in versions prior to 184.108.40.206, 220.127.116.11, and 18.104.22.168.
Update to version 22.214.171.124, 126.96.36.199, 188.8.131.52, or 184.108.40.206 or later.
Provided and/or discovered by:
1-9) Reported by the vendor.
10, 12) Rack911
TSR-2013-0011 (60890, 63541, 69517, 71125, 80633, 81373, 81377, 81429, 81641, 82309, 82725, 82733):
Was this reply helpful? (0) (0)