• Welcome to Web Hosting Forum - A Web Hosting Community for Webmasters.
 

Recommended Providers

WordPress

Forum Membership

Forum Membership

cPanel Security Disclosure: TSR-2013-0007

Started by Kailash, June 27, 2013, 11:26:13 AM


Hosting Offer


Print
Go Down Pages1
User actions

Kailash

June 27, 2013, 11:26:13 AM
Important: cPanel Security Disclosure TSR-2013-0007

Summary

Local cPanel users are able to take over ownership of any file or directory on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain's access logs in their home directory. During the preparatory steps for archiving, Cpanel::Logs::prep_logs_path performs a variety of checks to ensure a proper operating environment exists. A number of these checks are performed by a root-privileged process on files and directories in a user's home directory. A malicious user could take advantage of this behavior to take ownership of important files on the same file system as his home directory.

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

* 11.38.1.4 and greater
* 11.38.0.19 and greater
* 11.36.1.9 and greater
* 11.34.1.17 and greater
* 11.32.6.8 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 71109

Summary

Local cPanel users are able to take over ownership of any file or directory on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain's access logs in their home directory. When cpanellogd creates these archives, some operations are performed by a root-privileged process in the user's home directory. Through the use of a carefully crafted hard link a malicious user could take advantage of this behavior to take ownership of any file on the same file system as his home directory.

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

* 11.38.1.4 and greater
* 11.38.0.19 and greater
* 11.36.1.9 and greater
* 11.34.1.17 and greater
* 11.32.6.8 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

WordPress Hosting


Print
Go Up Pages1
User actions