cPanel Security Update Advisory

By | 1 May 2008

Several potential security issues have been identified with cPanel software and Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and 11.22.2 are susceptible to security issues, which range in severity from trivial to medium-critical. Along with the discovery of these potential issues, cPanel has released a new security tool to provide users with protection from XSRF attacks.

Update Advisory
==============================
All STABLE and RELEASE users are strongly urged to update to their respective 11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3 release. No releases are deemed susceptible to severe, critical or root access vulnerabilities.

XSRF Protection
==============================
cPanel has also introduced a tool designed to protect against a category of attacks known as cross-site request forgery (XSRF). This tool will validate the browser referrer information against an approved list of domains.

The list of approved domains is automatically determined according to the system’s configuration. Any blocked requests are presented to the end user for approval. This additional step will minimize disruption of workflow while protecting the user from an outside XSRF attack. This check will not prevent bookmarked links in modern browsers from working normally.

Source: http://blog.cpanel.net/?p=39