cPanel 10.9.0-STABLE_119 - random world readable files in /etc/vftp, some user password hashes viewable



DESCRIPTION


Some files in /etc/vftp/ ( which is a symlink to /etc/proftp/ ) were found to be world readable. These files contain the local users' system password hashes, as well as hashes to the users' FTP accounts, if any. Local system accounts added manually, such as staff accounts created via useradd, also had their account password information stored in this directory.

The vendor determined that this was occurring accidentally as part of the account suspension routine. When an account is suspended, the files in /etc/vftp are updated, and some files were having their permissions changed to 0644 (the default is 0640).


[user@host ~]$ ls -al /etc/vftp/
drwxr-xr-x  2 root root  4096 Oct  1 21:53 ./
drwxr-xr-x 75 root root 12288 Oct  2 11:00 ../
-rw-r-----  1 root root   175 Sep 24 11:48 alice
-rw-r-----  1 root root   275 Jun 22 13:45 bob
-rw-r--r--  1 root root   175 Sep 28 10:41 carol
-rw-rw----  1 root root   868 Sep 30 16:47 passwd.vhosts
-rw-------  1 root root  1081 Sep 30 16:47 passwd.vhosts.cache
[user@host ~]$ cat /etc/vftp/carol
carol:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e31:911:908::/home/carol:/bin/bash
carol_logs:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e/31:911:908:carol:/usr/local/apache/domlogs/carol:/bin/ftpsh



IMPACT


Local users could obtain the password hashes of various other users' accounts.