From nick@cpanel.net Thu Mar 11 22:07:41 2004 From: J. Nick Koston To: news@cpanel.net, bugtraq@securityfocus.com Date: Thu, 11 Mar 2004 18:36:21 -0500 Subject: cPanel Secuirty Advisory CPANEL-2004:01-01 cPanel Security Advisory - CPANEL-2004:01-01 --------------------------------------------- Date: Thu Mar 11 2004 --------------------------------------------- --------------------------------------------- Summary: --------------------------------------------- Due to a recently discovered bug, it will be necessary for users following the STABLE and RELEASE branches to disable the feature that allows users to reset their password. For those following the EDGE and CURRENT branches, the latest updates have been fixed. A review of the RELEASE tree is still pending, and fixed RELEASE builds may be available in the next 48 hours as well. --------------------------------------------- Description: --------------------------------------------- The feature "Allow cPanel users to reset their password via email", found in WebHostManager in the "Tweak Settings" section allows for a cpanel user to run some commands as the root user. This hole is built in to all compiled cpanel binaries and as such can not be "patched". For users of STABLE and RELEASE branches it is strongly suggested that you disable this feature. For users of the EDGE and CURRENT branches, the latest builds have been updated and compiled without this bug. --------------------------------------------- References: --------------------------------------------- http://www.securityfocus.com/archive/1/357064/2004-03-08/2004-03-14/0 --------------------------------------------- Affected Systems: --------------------------------------------- All builds on all platforms are vulnerable up to and including (9.1.0 build 34), all builds after that have been fixed. --------------------------------------------- Fix Details: --------------------------------------------- For STABLE and RELEASE suers, to remove this feature from user's cPanels, log into WebHostManager as root, open the "Tweak Settings" page, and uncheck the box next to "Allow cPanel users to reset their password via email" and save the change. For EDGE and CURRENT users, update cPanel. The suggested method is to do the following as root from the shell. # /scripts/upcp You can also do this from inside WebHostManager. This should update the cPanel and WHM package to the latest version available where this hole does not exist. --------------------------------------------- If you find there is still a problem with this after updating to the versions mentioned above, please file a support ticket with the cPanel Technical Support team at http://support.cpanel.net/. From arabviersus@hotmail.com Thu Mar 11 22:14:37 2004 From: Arab VieruZ To: bugtraq@securityfocus.com Date: 11 Mar 2004 11:42:30 -0000 Subject: Cpanel 8.*.* have a problem ? Hi all when i tried to rest my pass i'm tried this url: http://cpanel.com:2082/resetpass/?user=|">ls"| it give me this */ sh: line 1: /var/cpanel/users/: is a directory "sh: line 1: >ls: command not found" Password Reset Resetting password for |">ls"|: A confirmation email has been sent to the email address on file. */ look @ this! sh: line 1: >ls: command not found is it a problem ? :S ------- ThanX Arab VieruZ Saudi Devilz Team