Type: Insecure Permissions
Location: Local
Impact: Medium
Product: cPanel
Website: http://www.cpanel.net
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: 11.42.0.23, 11.40.1.13 & 11.38.2.23
CVE: -
R911: 0140
Date: 2014-03-31
By: Rack911
Product Description:
cPanel is an easy-to-use control panel that gives web hosts and the website owners they serve, the ability to quickly and easily manage their servers and websites. Web Host Manager (WHM) is a part of the cPanel software, often used by resellers and system administrators.
Vulnerability Description:
The cPanel logs directory /usr/local/cpanel/logs contained various log files, some of which were user readable. Some of those log files, under certain circumstances, could contain sensitive information.
Impact:
We have deemed this vulnerability to be rated as MEDIUM due to the fact that some sensitive information may be obtainable via the log files.
Vulnerable Version:
This vulnerability was tested against cPanel 11.40.0 #19 and is believed to exist in all versions prior to the fixed builds below.
Fixed Version:
This vulnerability was patched in cPanel 11.42.0.23, 11.40.1.13 & 11.38.2.23.
Vendor Contact Timeline:
2013-12-12: Vendor contacted via email.
2014-03-03: Vendor confirms vulnerability.
2014-03-24: Vendor issues updates to all builds.
2014-03-31: Rack911 issues security advisory.