cPanel 10.9.x - world readable /etc/cron.hourly/modsecparse.pl allows any local user to obtain the password to the modsec database
DESCRIPTION
modsecparse.pl is a utility that comes with the cPanel mod_security addon. Its purpose is to place the modsec logs from /usr/local/apache/logs/audit_log into the /var/lib/mysql/modsec database, then truncate the audit_log. It runs from cron, via /etc/cron.hourly. On older cPanel builds it was installed with permissions of 0755, allowing any local user to obtain the database credentials.
[user1@host ~]$ ls -l /etc/cron.hourly/modsecparse.pl -rwxr-xr-x 1 root root 6118 Aug 3 01:38 /etc/cron.hourly/modsecparse.pl* [user@host ~]$ egrep 'db(host|name|user|password)' /etc/cron.hourly/modsecparse.pl my $dbhost = 'localhost'; my $dbuser = 'modsec'; my $dbpassword = 'nt4apSBCDypC'; my $dbname = 'modsec'; [user@host ~]$ mysql -u modsec -pnt4apSBCDypC modsec -s mysql>
IMPACT
Local users could access and manipulate the modsec database, resulting in a loss of integrity of the stored data.