cPanel 10.9.0-STABLE_119 - random world readable files in /etc/vftp, some user password hashes viewable
DESCRIPTION
Some files in /etc/vftp/ ( which is a symlink to /etc/proftp/ ) were found to be world readable. These files contain the local users' system password hashes, as well as hashes to the users' FTP accounts, if any. Local system accounts added manually, such as staff accounts created via useradd, also had their account password information stored in this directory.
The vendor determined that this was occurring accidentally as part of the account suspension routine. When an account is suspended, the files in /etc/vftp are updated, and some files were having their permissions changed to 0644 (the default is 0640).
[user@host ~]$ ls -al /etc/vftp/ drwxr-xr-x 2 root root 4096 Oct 1 21:53 ./ drwxr-xr-x 75 root root 12288 Oct 2 11:00 ../ -rw-r----- 1 root root 175 Sep 24 11:48 alice -rw-r----- 1 root root 275 Jun 22 13:45 bob -rw-r--r-- 1 root root 175 Sep 28 10:41 carol -rw-rw---- 1 root root 868 Sep 30 16:47 passwd.vhosts -rw------- 1 root root 1081 Sep 30 16:47 passwd.vhosts.cache [user@host ~]$ cat /etc/vftp/carol carol:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e31:911:908::/home/carol:/bin/bash carol_logs:$1$BxAWmn63$J4Iyx.3Ki6wtUo1NS7A2e/31:911:908:carol:/usr/local/apache/domlogs/carol:/bin/ftpsh
IMPACT
Local users could obtain the password hashes of various other users' accounts.