ElixantTechnology
New member
- Joined
- Nov 26, 2014
- Messages
- 622
- Points
- 0
cPanel TSR-2015-0001 Full Disclosure
SEC-1
Summary
Arbitrary code could be executed as other accounts with RUID2/ITK enabled.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C
/I/A:N)
Description
The WHM "Apache mod_userdir Tweak" interface incorrectly allowed the exclusion of specific users from userdir protection when mod_ruid2 or MPM-ITK was in use on the server. With this misconfiguration, the excluded user could execute arbitrary code with the UID and GID of the excluding virtualhost via Apache userdir URLs.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.46.2.2
11.46.1.6
11.44.2.4
11.42.1.30
SEC-4
Summary
Noshell restriction bypass via SFTP connections.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I/A:N)
Description
On cPanel & WHM systems, accounts configured with "noshell" as their login shell may still connect to the server using SFTP. Users connecting in this fashion had access to the /proc filesystem. By modifying '/proc/self/mem', an attacker could execute arbitrary code as if connected via a normal shell.
Credits
This issue was discovered by Jann Horn.
Solution
This issue is resolved in the following builds:
11.46.2.2
11.46.1.6
11.44.2.4
11.42.1.30
SEC-8
Summary
Stored XSS vulnerability in cPDAVd directory index functionality.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I/A:N)
Description
cPDAVd did not correctly HTML escape filenames included in the HTML it generated for directory indexes. This allowed attackers with the ability to generate files with XSS payloads to conduce stored-XSS attacks against the authenticated cPDAVd user if the user connected with to WebDAV services using a normal web browser.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.46.2.2
11.46.1.6
11.44.2.4
11.42.1.30
For the PGP-signed message, see [URLnf=http://cpanel.net/wp-content/uploads/2015/01/TSR-2015-0001-Full-Disclosure.txt]here[/URLnf].
SEC-1
Summary
Arbitrary code could be executed as other accounts with RUID2/ITK enabled.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 4.9 (AV:N/AC:M/Au:S/C
/I/A:N)Description
The WHM "Apache mod_userdir Tweak" interface incorrectly allowed the exclusion of specific users from userdir protection when mod_ruid2 or MPM-ITK was in use on the server. With this misconfiguration, the excluded user could execute arbitrary code with the UID and GID of the excluding virtualhost via Apache userdir URLs.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.46.2.2
11.46.1.6
11.44.2.4
11.42.1.30
SEC-4
Summary
Noshell restriction bypass via SFTP connections.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I
/A:N)Description
On cPanel & WHM systems, accounts configured with "noshell" as their login shell may still connect to the server using SFTP. Users connecting in this fashion had access to the /proc filesystem. By modifying '/proc/self/mem', an attacker could execute arbitrary code as if connected via a normal shell.
Credits
This issue was discovered by Jann Horn.
Solution
This issue is resolved in the following builds:
11.46.2.2
11.46.1.6
11.44.2.4
11.42.1.30
SEC-8
Summary
Stored XSS vulnerability in cPDAVd directory index functionality.
Security Rating
cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I
/A:N)Description
cPDAVd did not correctly HTML escape filenames included in the HTML it generated for directory indexes. This allowed attackers with the ability to generate files with XSS payloads to conduce stored-XSS attacks against the authenticated cPDAVd user if the user connected with to WebDAV services using a normal web browser.
Credits
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
11.46.2.2
11.46.1.6
11.44.2.4
11.42.1.30
For the PGP-signed message, see [URLnf=http://cpanel.net/wp-content/uploads/2015/01/TSR-2015-0001-Full-Disclosure.txt]here[/URLnf].
