cPanel Horde Vulnerability Found - Please update your cPanel ASAP - Knowledgebase

Portal Home > Knowledgebase > Articles Database > cPanel Horde Vulnerability Found - Please update your cPanel ASAP

cPanel Horde Vulnerability Found - Please update your cPanel ASAP

Posted by Virtuoso Host, 03-07-2008, 12:04 AM
An arbitrary file inclusion vulnerability has been discovered in the Horde webmail application. At present, we can confirm that this security vulnerability in question affects Horde 3.1.6 and earlier. Based on incomplete information at this time, we also believe this affects Horde Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware at this time). cPanel customers should update their cPanel and WHM servers immediately to prevent any chance of compromise. The patch will be available in builds 11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated builds will be available immediately to all fast update servers. The builds will be available to all other update servers within one hour of this posting. To check which version of cPanel and WHM is on your server, simply log into WebHost Manager (WHM) and look in the top right corner, or execute the following command from the command line as root: /usr/local/cpanel/cpanel -V You can upgrade your server by navigating to 'cPanel' -> 'Upgrade to Latest Version' in WebHost Manager or by executing the following from the command line as root: /scripts/upcp It is recommended that all use of Horde 3.1.6 and earlier be stopped (on cPanel and non-cPanel systems alike) until Horde updates can be applied. You can disable Horde on your cPanel system by unchecking the box next to 'Server Configuration' -> 'Tweak Settings' -> 'Mail' -> 'Horde Webmail' within WHM, and saving the page with the new settings.
Posted by tanfwc, 03-07-2008, 12:25 AM
It seems that only Edge build has the latest patch at the moment.
Posted by jpetersen, 03-07-2008, 01:19 AM
Not trying to nitpick here, but I'd like to point out for those that may not be aware: Horde is a 3rd party application that is installed when cPanel is installed (just like Apache, or Exim, or PureFTPd for example). It is developed and maintained by a separate group than the cPanel team. The title of the thread - "cPanel Horde Vulnerability" - is a bit misleading I think, as the vulnerability exists within Horde itself, and is not exclusive to Horde on cPanel servers. Good thread, nice to see the information getting out there across multiple channels. Excellent work by the cPanel team on independently addressing the issue as well.
Posted by zacharooni, 03-07-2008, 01:26 AM
Looks like the admins over at HostGator found this one out and already have a detection and resolution. Check here for more details: http://forums.hostgator.com/showpost...2&postcount=10 Outstanding job
Posted by MaB, 03-07-2008, 01:37 AM
Can you post the contents for those without a hostgator login? Also, does cpanel HORDE run as ROOT?
Posted by zacharooni, 03-07-2008, 01:50 AM
From their forums
Posted by MontcoWeb, 03-07-2008, 04:12 AM
I agree, glad to see how quickly cPanel jumped on this one.
Posted by cPanelDavidG, 03-07-2008, 01:58 PM
The patch is in all builds of cPanel/WHM (EDGE, CURRENT, RELEASE, STABLE). Last edited by cPanelDavidG; 03-07-2008 at 01:59 PM. Reason: Clarified my usage of the word "build"
Posted by BrentOfHG, 03-07-2008, 02:42 PM
You can read more here... http://www.securityfocus.com/archive.../30/0/threaded
Posted by JonnyQuags, 03-07-2008, 05:48 PM
From the description on the securityfocus it would seem horde on cpanel servers does run as root as I can't imagine any other way this exploit could possible lead to a root compromise.
Posted by Patrick, 03-07-2008, 06:18 PM
Horde does not run as root, but I think the advisory means that in a worst case scenario and under the right conditions, root could be obtained. Personally, I don't think the exploit is as bad as some of the other ones found in cPanel over the last few months that were not openly disclosed.
Posted by JonnyQuags, 03-07-2008, 06:37 PM
I looked more into this and you are correct, it does not run as root.
Posted by BrentOfHG, 03-09-2008, 07:03 AM
This exploit can have root escalation in it. Since some of the files in the /usr/local/cpanel dir were owned by CPanel, this means that when this exploit was ran as the user name "cpanel" any file owned by CPanel could have had code injected. Here is a quick example. Say Horde was exploited, and the hacker injected code in your phpmyadmin index.php file, to e-mail "/root/.accesshash" every time PHPMyAdmin was ran. If you as the admin on the box went to PHPMyAdmin on the server with WHM as root, you would have sent them an e-mail with your access hash in it... They could do anything then want if you run PHPMyAdmin as root with any type of code injection. CPanel has correct the Horde vulnerability as well as changed the ownership on the files. By Changing the ownership this reduces the risk of anything else in CPanel being exploited if the uid is cpanel on an exploit.
Posted by MaB, 03-09-2008, 12:16 PM
This is what I'm concerned about. So do 3rd party applications such as Horde, phpMyAdmin, Squrrelmail and others no longer run as cpanel?
Posted by jpetersen, 03-09-2008, 02:35 PM
Thanks for the clarification. The day the cPanel updates were released, I checked to see what files had been modified by the update. I noticed that cPanel was now changing permissions on particular files and directories related to Horde, so I figured the exploit you guys did up was a combination of abusing the bug that was in Horde and taking advantage of particular cPanel design implementations as a result. I was just pointing out that the bug that allows for all of this to happen is within software that is developed by an entity other than cPanel. I do understand that your exploit was specifically written for cPanel servers, due to permissions on particular files. Thanks again for clarifying and for disclosing the issue to cPanel.

Add to Favourites Print this Article