SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   cPanel Vendors:   cPanel, Inc.
cPanel Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1029528
SecurityTracker URL:  http://securitytracker.com/id/1029528
CVE Reference:   CVE-2013-6780   (Links to External Site)
Date:  Dec 20 2013
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in cPanel. A remote authenticated user can execute arbitrary code on the target system. A remote user can conduct cross-site scripting attacks. A remote user can obtain potentially sensitive information.

A remote authenticated reseller with ACL permission to install SSL certificates can install SSL virtualhosts on arbitrary IPs that do not belong to the reseller. The vendor has assigned case 60890 to this vulnerability. Version 11.36.x is affected.

A remote authenticated cPanel, WHM, or Webmail users can exploit a flaw in the Locale::Maketext module and submit a specially crafted translation to execute arbitrary code with elevated privileges. The vendor has assigned case 63541 to this vulnerability.

The wwwcount component installs the '/usr/local/cpanel/share/Counter' directory with world-writable permissions. A local user can exploit this to cause cPanel to execute arbitrary code in certain cases. The vendor has assigned case 69517 to this vulnerability.

A remote authenticated reseller can exploit a flaw in the sprite generation code for the branding subsystem to change permissions of arbitrary files on the target system. The vendor has assigned case 71125 to this vulnerability. Version 11.38.x is affected.

When multiple security token failures occur, the system does not invalidate session credentials. A remote user can make cross-site request forgery attacks. The vendor has assigned case 73125 to this vulnerability.

The system may disclose security tokens to remote users. The vendor has assigned case 73193 to this vulnerability.

When a reseller override login occurs, the session cookie is disclosed via the HTTP_COOKIE environment variable. A local user can obtain the session cookie. The vendor has assigned case 74333 to this vulnerability. Versions 11.36.x. and 11.38.x are affected.

The WHM Daily Process Log screen does not properly filter HTML code from user-supplied input before displaying the input. A local user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the cPanel software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The vendor has assigned case 78045 to this vulnerability.

When a root or reseller account performs an upgrade of a cPanel account's cPAddons Site Software installations directly from WHM, the system discloses the REMOTE_PASSWORD environmental variable when the 'cgihidepass' TweakSetting is disabled. The vendor has assigned case 78089 to this vulnerability.

A remote authenticated reseller with 'edit-dns' ACL permissions can exploit a flaw in the WHM Edit DNS Zone interface to read portions of root-owned files. The vendor has assigned case 79277 to this vulnerability. Rack911 reported this vulnerability.

A remote user can use specially crafted usernames during SSH authentication to exploit a flaw in cPHulk and block or unblock arbitrary IP addresses and accounts from connecting to cPHulk-managed services on the target system. The vendor has assigned case 80113 to this vulnerability. An anonymous researcher reported this vulnerability.

A remote authenticated user can exploit a path traversal flaw in X3 countedit.cgi to write arbitrary files on the target system. The vendor has assigned case 80633 to this vulnerability.

The Bandmin passwd file is created with world-readable permissions. A local user can view the username and hashed password required to access Bandmin's stored log data. The vendor has assigned case 81373 to this vulnerability.

The the Bandmin bandwidth log viewer does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the cPanel software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The vendor has assigned case 81377 to this vulnerability.

A remote authenticated Webmail virtual account user can supply a specially crafted HTTP URL to exploit a URL filtering flaw and access phpMyAdmin and phpPgAdmin. The vendor has assigned case 81429 to this vulnerability.

A remote authenticated user with a restricted cPanel account can exploit a path traversal flaw in the UI::dynamicincludelist and UI::includelist API calls to read arbitrary files or execute arbitrary code. The vendor has assigned case 81641 to this vulnerability.

The Manage Redirection functionality for Addon Domains and Subdomains and the GnuPG Keys interface does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the cPanel software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The vendor has assigned case 81885 to this vulnerability.

The system stores Logaholic session files in the world-writable '/tmp' directory. A local user can exploit this to cause cPanel to execute arbitrary code. The vendor has assigned case 82309 to this vulnerability. Rack911 reported this vulnerability.

A remote user can exploit a cross-site scripting flaw in the YUI component [CVE-2013-6780]. The vendor has assigned case 82725 to this vulnerability. @soiaxx reported this vulnerability.

Database grant files are store with world-readable permissions. The vendor has assigned case 82733 to this vulnerability. Versions 11.38.x and 11.40.x are affected. Rack911 reported this vulnerability.

A remote authenticated reseller can exploit a flaw in the goto_uri parameter to conduct cross-site request forgery attacks. The vendor has assigned case 83929 to this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the cPanel software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix (11.36.2.10, 11.38.2.13, 11.40.1.3, 11.40.0.29).

The vendor's advisory is available at:

http://cpanel.net/tsr-2013-0011-full-disclosure/

Vendor URL:  cpanel.net/tsr-2013-0011-full-disclosure/ (Links to External Site)
Cause:   Access control error, Configuration error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC