cPanel before 67.9999.103 allows Apache HTTP Server log files to become world-readable because of mishandling on an account rename (SEC-296).
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cpanel | Cpanel | 55.9999.61 (including) | 56.0.52 (excluding) |
| Cpanel | Cpanel | 59.9999.58 (including) | 60.0.48 (excluding) |
| Cpanel | Cpanel | 61.9999.55 (including) | 62.0.30 (excluding) |
| Cpanel | Cpanel | 64.0.0 (including) | 64.0.40 (excluding) |
| Cpanel | Cpanel | 65.9999.38 (including) | 66.0.23 (excluding) |
| Cpanel | Cpanel | 67.9999.64 (including) | 67.9999.103 (excluding) |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: