News

Summary

cPanel 11.25.0 provides mechanisms to prevent Cross Site Request Forgery attacks.

Security Rating

This update has been rated as having an Important security rating by the cPanel Security team.

Description

All versions of cPanel prior to version 11.25.0 are vulnerable to cross site request forgery attacks. Cross-site request forgery, often abbreviated as CSRF or XSRF, exploits the trust a website has in a user's browser. By exploiting that trust a malicious user can execute unauthorized commands on a website.

Solution

cPanel 11 users should upgrade to version 11.25.0 which contain mechanisms to prevent these types of attacks. To insure full protection, the following options in Tweak Settings are strongly recommended to be enabled:

• Require security tokens for all interfaces. This will greatly improve the security of cPanel and WHM against XSRF attacks, but may break integration with other systems, login applications, billing software and third party themes.
• Validate the IP addresses used in all cookie based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled.
• Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials.

In addition it is recommended the following Tweak Settings be disabled:

• Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)
• Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)

References

1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2043
2. http://secunia.com/advisories/30027

Recently, a local vulnerability has been discovered that affects all Linux kernels released since early 2001.

In short, there was a NULL pointer dereference in the kernel, which a user can map at address zero in order to bypass mmap_min_addr. This allows malicious users to execute shell code which, in turn, grants the user a root shell.

This vulnerability is covered in length at the following sites:

http://www.securityfocus.com/bid/36038
https://bugzilla.redhat.com/show_bug.cgi?id=516949

You can see many other references here:

http://www.securityfocus.com/bid/36038/references

Fix for cPanel Servers

In the tickets we have received so far, an insecure PHP script was almost always remotely exploited to give a hacker the rights of the user owning the site or script. Once that was done, the hacker gained shell access and ran any of a variety of shell exploit scripts available on the Internet.

For the majority of our clients, if yum is working correctly on the server, running the 'yum update' command will, in fact, download and install the new kernel.* However, the server administrator must reboot the server in order for the new kernel to be put in place. This step is essential and should fix the problem for RHEL 3, 4, and 5, Fedora 10 and 11, and CentOS 3, 4, and 5.

*Note: If yum install fails with the following message:

Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
...
TypeError: unsubscriptable object

you may be able to resolve the issue, and continue installation, by running the yum clean all command.

cPanel is a well known web hosting control panel utilized by major hosting providers around the world. In response to a recent security articled, cPanel, Inc. is issuing a response to customers, service providers, end users, and 3rd party developers that utilize the software.

A CSRF (cross-site request forgery) attack occurs when an unauthorized command  
is propagated from a user’s browser to another target session without the user’s knowledge. For users of cPanel products, this can occur while logged into the control panel and an outside website causes you to execute specific commands that modify settings within your control panel. You must be logged into your control panel interface and the creator of the attack must know specific information regarding your control panel environment in order to successfully complete the CSRF attack.

cPanel Developers and System Administrators are recommending a number  of steps to help reduce risk associated with this type of attack.
 

•  Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
• Avoid opening SPAM, Websites, or clicking on links that you do not  
  trust especially URL shortening services found on many social media  
  sites.
• Update your current passwords within cPanel on a regular basis and  
  maintain strong password discipline.

Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified. Enabling the new security feature will be an optional configuration and will require the testing of remote applications and integration methods used in conjunction with cPanel software. cPanel has been directly working with software vendors, and application vendors to educate them on the upcoming changes with 11.25.

cPanel is committed to providing ongoing communications with customers and end users of software features, security, and ongoing support issues. When security reports are provided through proper channels, a public response will be provided to help reduce the overall risk of specific events. cPanel will provide updates to the affected parties through the proper channels.

Customers that wish to discuss this in depth and understand the upcoming implementation are encouraged to open tickets or communicate directly with their points of contact to cPanel.

Summary

Updated builds of cPanel 11.24.4 that fix a security issue are available for users of EDGE, CURRENT, RELEASE and STABLE.

Security Rating

This update has been rated as having a trivial security impact by the cPanel Security team.

Description

The Latest Visitors interface ( /frontend/x3/stats/lastvisit.html ) displays the last few entries from the access_log of a selected domain owned by an account. Due to improper handling of user input, an authenticated user could use a carefully crafted URL to view the contents of world-readable files on the system.

Solution

cPanel users should update to 11.24.4 build 36912 or higher, which contain a fix for this issue.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2275

A weakness in the random data generation module included with cPanel has been identified. cPanel releases prior to 11.18.6 and 11.23.1 are susceptible to this security issue which is rated medium-critical.

Update Advisory

All STABLE and RELEASE users are strongly urged to update to their respective 11.18.6 release. CURRENT and EDGE users should update to the latest 11.23.1 release. No releases are deemed susceptible to remote or root access vulnerabilities.