SB2016051701 - Multiple vulnerabilities in cPanel
Published: May 17, 2016 Updated: June 28, 2016
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Arbitrary file overwrite in during Horde restore (CVE-ID: N/A)
The vulnerability allows remote authenticated user to overwrite arbitrary files on the target system.
The vulnerability exists due to incorrect permissions used by Horde during restoration process with old-style CSV data files. The application opens SQLite database with root privileges to write a journal. A remote authenticated attacker can overwrite arbitrary files on the vulnerable system with root privileges.
Successful exploitation of this vulnerability will allow execution of arbitrary code with root privileges.
2) Demo account arbitrary code execution (CVE-ID: N/A)
The vulnerability allows remote authenticated user to execute arbitrary Perl code.
The vulnerability exists due to an error in the ajax_maketext_syntax_util.pl file when handling input data passed from untrusted sources. A remote authenticated attacker with demo account can pass certain maketext functions to vulnerable script and execute arbitrary Perl code on the target system.
Successful exploitation of this vulnerability will allow execution of arbitrary Perl code and may lead to system compromise.
3) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote authenticated user to cause denial of service.
The vulnerability exists due to improper handling of domain names in /scripts/killpvhost, when matching them against entries in ProFTPD configuration file during host removal. A attacker can create an account with regular expression metacharacters. During the removal of such account, the IP address dedicated to this account will be also removed from FTP configuration.
Successful exploitation of this vulnerability may cause partial denial of service.
4) Privilege escalation (CVE-ID: N/A)
The vulnerability allows a remote authenticated user to gain root privileges.
The vulnerability exists due to error in /scripts/addpop, /scripts/delpop, /scripts/checkinfopages, /scripts/maildir_converter, /scripts/unsuspendacct and /scripts/enablefileprotect scripts, which may lead to root’s TTY exposure. A remote authenticated attacker might be able to gain full access to root TTY.
Successful exploitation of this vulnerability may result in remote code execution with root privileges.
5) Privilege escalation via show_template.stor (CVE-ID: N/A)
The vulnerability allows a remote authenticated attacker to execute arbitrary code with escalated privileges.
The vulnerability exists due to improper filtration of input data in cpsrvd, when handling document parameters. A remote authenticated attacker with demo access can pass specially crafted code to show_template.stor script and execute it on the system under demo account.
Successful exploitation of this vulnerability may result in execution of arbitrary OS commands.
6) Information exposure in Branding API (CVE-ID: N/A)
The vulnerability allows a remote authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper validation of brandingpkg argument in cPanel API 1 Branding calls. A remote authenticated user with Webmail account can read arbitrary files owned by cPanel account
Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive information.
7) Remote OS commands execution via cPanel API calls (CVE-ID: N/A)
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient sanitization of forwarding options when performing certain cPanel API calls. A remote attacker with Webmail account can inject and execute arbitrary system commands.
Successful exploitation of this vulnerability may allow an authenticated attacker to execute arbitrary commands and completely compromise vulnerable system.
8) SQL Injection in ModSecurity TailWatch log file (CVE-ID: N/A)
The vulnerability allows a remote authenticated attacker to inject and execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of entries in the ModSecurity TailWatch log file. A remote attacker can trick a cPanel user to import malicious logs into MySQL database and execute arbitrary SQL queries.
Successful exploitation of this vulnerability may allow an attacker to gain complete control over the application.
9) Information exposure via log files (CVE-ID: N/A)
The vulnerability allows a remote authenticated attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrectly set default world-readable permissions when creating new log files via dnsadmin-startup and spamd-startup. A remote authenticated user can gain access to potentially sensitive data.
Successful exploitation of this vulnerability may allow an attacker to read log files and obtain potentially sensitive information.
10) Information exposure via log files (CVE-ID: N/A)
The vulnerability allows a remote authenticated attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrectly set default world-readable permissions when rotating logs via cpanellogd. A remote authenticated user can gain access to potentially sensitive data.
Successful exploitation of this vulnerability may allow an attacker to read log files and obtain potentially sensitive information.
Remediation
Install update from vendor's website.