cPanel 11.23.1-EDGE_24268 - local users cache files overwrite


Non resellers could use directory traversal in ~/.lang to overwrite the cPanel theme files stored here: /var/cpanel/lang.cache/theme/.

First, the user needed to create a file in their ~ with the name of a valid theme on the box, such as /home/username/english:

[user@host ~]$ touch english

Second, the user needed to create an entry containing a valid theme name in ~/.lang:


Next, the user needed to send any valid request to cpsrvd (e.g., GET /frontend/x3/index.html HTTP/1.1). Once the request had been made, the following files would be overwritten with the contents of /home/username/english:



Local users could overwrite theme files, affecting everyone logging into cPanel or WHM.