cPanel and PCI Compliancy
Hi,
I'm looking into some solutions to vulnerabilities found by a PCI scanning box and was looking for some possible solutions that could be implemented. The problems are as follows:
Account Name Enumeration: Requests of the following format hostname/~accountname will yeild a 403 error if the account name is valid and a 404 error if it is not.
Mail Server Accepts Plaintext Credentials: Is there a simple way of implementing SSL over POP3?
Thank you
- Duncan
Regarding the "/~username/" (mod_userdir) access, this access method can be disabled to alleviate the problem by enabling "mod_userdir" protection and ensuring that no sites/users are excluded so that none can be easily guessed via dictionary attack:
WHM: Main >> Security Center >> Apache mod_userdir Tweak
Documentation for Security Center and mod_userdir protection:
WHM Security Center
Apache mod_userdir Tweak
Regarding POP3 and IMAP over SSL, it is possible to adjust and tweak the POP3/IMAP mail server configuration via WHM, including toggling the protocol, plaintext authentication, and SSL cipher list:
WHM: Main >> Service Configuration >> Mailserver Configuration
Here is our documentation further detailing this functionality:
Mailserver Configuration
Last edited by cPanelDon; 01-11-2010 at 10:33 PM. Reason: Revised documentation links
cPResources: Submit a Support Request - Submit a Bug Report - Review existing Tickets-- Donald cPanelDon Holl - Analyst, cPanel Quality Assurance
One more question.
Hi again,
Thanks for the reply. I just had one more question pertaining to a PCI scan.
Ports 2095, 2086, 2082 and 80 are all reporting the following vulnerability:
Web Server Uses Plain-Text Form Based Authentication
I realize that the developers will have to host the login on 443 as opposed to 80. However, I was wondering if 2095, 2086, and 2082 are utilized for authentication. Or, if they are simply used to return the Cpanel login script as I had read elsewhere.
Also, if they are used for authentication, is there a workaround to avoid this vulnerability?
Regards,
Duncan
I think what you're looking for can be found in WHM > Tweak Settings Page > Redirection settings.
Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.
Also check out the Security section on Tweak Settings page for other misc tweaks to lock down your security.
To avoid having login data sent over a non-SSL connection or port, there is a new security feature in version 11.25 to require SSL for remote logins to force using SSL for access to cPanel, WHM, and Webmail.
WHM: Main >> Server Configuration >> Tweak Settings
* Require SSL for all remote logins to cPanel, WHM and Webmail. This setting is recommended.
This is outlined in the 11.25 release notes (PDF) available at the following URL(s):
cPanel 11.25
ReleaseNotes < AllDocumentation < TWiki
cPResources: Submit a Support Request - Submit a Bug Report - Review existing Tickets-- Donald cPanelDon Holl - Analyst, cPanel Quality Assurance
LinkBack URL
About LinkBacks
Reply With Quote