cPanel 10.9.x - world readable /etc/cron.hourly/modsecparse.pl allows any local user to obtain the password to the modsec database



DESCRIPTION


modsecparse.pl is a utility that comes with the cPanel mod_security addon. Its purpose is to place the modsec logs from /usr/local/apache/logs/audit_log into the /var/lib/mysql/modsec database, then truncate the audit_log. It runs from cron, via /etc/cron.hourly. On older cPanel builds it was installed with permissions of 0755, allowing any local user to obtain the database credentials.


[user1@host ~]$ ls -l /etc/cron.hourly/modsecparse.pl
-rwxr-xr-x 1 root root 6118 Aug  3 01:38 /etc/cron.hourly/modsecparse.pl*
[user@host ~]$ egrep 'db(host|name|user|password)' /etc/cron.hourly/modsecparse.pl
my $dbhost     = 'localhost';
my $dbuser     = 'modsec';
my $dbpassword = 'nt4apSBCDypC';
my $dbname     = 'modsec';
[user@host ~]$ mysql -u modsec -pnt4apSBCDypC modsec -s
mysql>



IMPACT


Local users could access and manipulate the modsec database, resulting in a loss of integrity of the stored data.