Voor alle cPanel gebruikes hier.
/* BEGIN */
SECUNIA ADVISORY ID:
SA11111
VERIFY ADVISORY:
http://secunia.com/advisories/11111/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
cPanel 5.x
cPanel 6.x
cPanel 7.x
cPanel 8.x
cPanel 9.x
DESCRIPTION:
Arab VieruZ has discovered a vulnerability in cPanel, allowing
malicious people to execute certain system commands on a vulnerable system.
The problem is that user input passed to the "user" parameter in the "resetpass" section isn't properly verified before being used. This can be exploited to inject various commands by supplying shell meta characters.
The vulnerability affects builds on all platforms up to and including version 9.1.0 build 34.
SOLUTION:
The vendor advises users of STABLE and RELEASE branches to disable the "Allow cPanel users to reset their password via email" feature in the WebHostManager.
According to the vendor, fixes for the RELEASE tree is still pending and fixed builds may be available within the next 48 hours.
The vulnerability has been fixed in the latest versions of the EDGE and CURRENT branches.
PROVIDED AND/OR DISCOVERED BY:
Arab VieruZ
/* EIND */