Earlier this year, specifically on January 19th, the cPanel experts have rolled out new builds for all of the product’s public update tiers. These updates, which were in the form of the TSR-2015-001, were designed to deliver targeted changes to cPanel and WHM. According to developers, these are for addressing various security concerns that have been found within both control panels. Users can access all the released builds through the implementation of the standard update system.
As cited by the people behind cPanel, these updates have a rating of CVSSv2, which ranges from scores of 2.1 to 4.9.
In addition, it was also mentioned that users who have deployed servers using cPanel and WHM and who have set the platforms to accept automatic updates every time one is rolled out, would no longer need to manually perform the update. However, for those who have disabled this feature, it is highly recommended that the cPanel and WHM installations are updated as soon as possible. Doing so will help reduce the risks of websites becoming a target of security threats.
As of the moment, there have been four versions released for both the cPanel and the WHM. The following versions of the updates are said to address all of the known and discovered vulnerabilities:
Details about the Discovered Security Concerns
During the time that the cPanel security team made an announcement about the TSR-2015-001 builds, they pointed out that the vulnerabilities are believed to have not been made public yet. Limited information was initially disclosed, but with the assurance that they, together with independent security researchers, have already identified these issues and resolved them with the updates.
A day after the announcement was made, the security experts at cPanel released a full disclosure documentation about the security concerns they have discovered and have resolved with the builds. The Targeted Security Release (TSR-2015-001) updates have been engineered to fix the following vulnerabilities in all the above-mentioned versions of cPanel and WHM:
The TSR update fixes the problem with the WHM “Apache mod_userdir Tweak” interface. Before the update, this interface made it possible for specific users to be incorrectly excluded from the userdir protection while the mod_ruid2 or the MPM-ITK command was being used on the server.
The second security concern that has been resolved by the TSR-2015-001 builds is connected with the “noshell” configuration. Prior to the builds being rolled out, accounts that were configured on the cPanel and the WHM systems using the login shell “noshell” retained server access through the use of SFTP. Users who connected through this method gained entry to the /proc filesystem. An arbitrary code could have been executed by an attacker through the use of a normal shell.
The TSR-2015-001 updates also corrected the way that the cPDAVd incorrectly handled how HTML escaped filenames. This vulnerability could have given attackers the ability to create files using XSS payloads and launch stored-XSS attacks.