PCI Compliance fail - Port 2096

**handsonhosting** · 08-16-2010 11:55 AM

We received a report from ControlScan regarding port 2096 and the cookies being set on this port;

Cookie Without HTTPOnly Attribute Can Be Accessed By Scripts - TCP: 2096

A cookie without the HTTPOnly attribute could be susceptible to theft by cross-site scripting attacks.
Cookies are a method of transmitting state information between web servers and clients. The HTTPOnly attribute specifies
that a cookie may be used for HTTP requests only, and cannot be accessed by client-side scripts.
There is a vulnerability in the way that some devices, especially web servers, store cookies on a user's system. If the
HTTPOnly attribute is not set in the Set-Cookie header, the user-agent allows the cookie to be accessed by client-side script.
If cross-site scripting vulnerabilities exist on the web server, then the cookie could be stolen by an attacker, possibly leading
to session hijacking.
Related CVE entries: CVE 2009-3566 McAfee IntruShield Network Security Manager
For more information on the HTTPOnly attribute, see http://www.owasp.org/index.php/HTTPOnly OWASP.
For more information about the session hijacking vulnerability in McAfee IntruShield Network Security Manager, see McAfee
Security Bulletin SB10005.

Solution:
Modify web applications to set the HTTPOnly attribute for all cookies, or apply a patch or upgrade from your vendor.

Information from Target:
Service: 2096:TCP
Received: Set-Cookie: logintheme=cpanel; path=/; secure; port=2096

Any thoughts for a solution?

**disappointed** · 08-19-2010 06:53 AM

set ports 2095:2096 to drop all attempted connections and you will pass PCI be sure to loop them back to localhost for cpanel and WHM or they will complain about it and shut down services...

if you need access to these ports your self make sure you place your ip between the loopback and the drop statement to retain use of the service

**ChrisMeisinger** · 08-19-2010 11:09 AM

Hey there,

Two things should be noted here.

1. This is a fairly minor potential attack vector and shouldn't necessarily dictate a full failure of PCI compliance.

2 We've already patched this in our internal builds and will be rolling this out fairly soon in the 11.25.0 builds and above. Due to the nature of development, I can't necessarily give you an exact timeline, but the patch is ready to roll and should be released shortly.

**handsonhosting** · 08-19-2010 05:20 PM

No other scanning companies are reporting it as of yet, just ControlScan.

Disabling the ports as suggested by "disappointed" is not an option as those ports are used for the webmail login.

Thanks for the update regarding the fix being rolled into a new release.

LinkBack

Thread Tools

PCI Compliance fail - Port 2096

PCI Compliance

PCI Compliance

PCI Compliance Issue SSLv2 port 2078

PCI Compliance