SecurityMetrics issue with webmail login page

[Wheeler]

A client of mine is having problems getting SecurityMetrics to pass their PCI DSS scan because of an alleged issue with the webmail login page.

The issue was initially detected as an insecure version of HP Openview running on the server due to the url http://www.domain.name:2095/OvCgi/co...pl?node=a\x7cw returning a response.

After a few emails back and fourth SecurityMetrics recognised that HP Openview was not installed, but said that the issue was that the webmail login form was including the request url in a hidden 'goto_url' field in the login form, which 'may not be' sanatised.

Below is their email regarding the issue - any help on this would be appreciated. Is this really a problem or just another false positive from SecurityMetrics? These guys and indeed the whole PCI DSS compliance system are causing me and many of my clients a massive headache. Is it just me?!


----

Mr X,

The issues isn't necessarily with HP Openview, it is that the way the server is responding is commonly an HP error, but in their case it's a problem with WebMail. I looked into this with my supervisor and we found the following:

<body>
<div id="wrap">
<div id="top-mail"></div>
<div id="mid">
<div id="content-wrap" align="center">
<form action="/login/" method="post" >
<input type="hidden" name="login_theme" value="cpanel" />
<table width="200" class="login" cellpadding="0" cellspacing="0">
<tr>
<td align="left"><b>Login</b></td>
<td>&nbsp;</td>
</tr>
<tr>
<td class="login_lines">Email:</td>
<td class="login_lines"><input type="text" tabindex="1" id="user" name="user" size="16" /></td>
</tr>
<tr class="row2">
<td class="login_lines">Password:</td>
<td class="login_lines"><input type="password" tabindex="2" id="pass" name="pass" size="16" /></td>
</tr>
<tr>
<td colspan="2" style="text-align: center"><input type="submit" tabindex="3" id="login" value="Login" class="input-button" /></td>
</tr>
</table>
<input type="hidden" name="goto_uri" value="/OvCgi/connectedNodes.ovpl?node=a\x7cw" />
</form>

That last input type line includes a hidden form that has the value of "/OvCgi/connectedNodes.ovpl" which was probably from our original GET request, as shown here:

Code:

$ telnet http://www.domain.tld 2095
Trying 123.123.x.x...
Connected to http://www.domain.tld.
Escape character is '^]'.
GET /OvCgi/connectedNodes.ovpl?node=a\x7cw HTTP/1.0
Host: http://www.domain.tld:2095
User-Agent: Mozilla/4.0
Connection: Keep-alive

Their page may not be sanitizing the user-supplied input, which would cause this to flag. I would see if there is an update from cPanel that may fix issue.

---

[Wheeler]

Any ideas on this one? The client can't pass the SecurityMetrics scan until it is resolved... and SM keep saying to talk to cPanel as it's a bug in cPanel...

[twhiting9275]

Any ideas on this one? The client can't pass the SecurityMetrics scan until it is resolved... and SM keep saying to talk to cPanel as it's a bug in cPanel...

Solution? Don't use Security Metrics. They're a major PITA when dealing with things.
Unfortunately, you're going to probably have the same problem with any provider, though scanalert (Mcaffee) will at least listen to what you have to say and in cases like this remove the problematic alert from you. SecurityMetrics won't.

Every PCI provider is different in how they test, and grade things, which is why, at this point in time PCI compliance is nothing but a joke.

[sirdopes]

Do you have the CVE number?

[Wheeler]

The CVE number from the scan results is 2005-2773 - which relates to HP OpenView. I've asked if there is a separate CVE number for the issue relating to the webmail login, which is what they say is causing the HP OpenView (CVE-2005-2773) issue to flag, and will post it here once they respond.

Thanks for the help so far

[sirdopes]

According to the CVE, the actual problem with the hp openview is that part of the url is used as parameters for a system() call. This is not the case with webmail. Cpanel uses this parameter to redirect to that page after you login. Beyond maybe getting redirected to a not found page, I don't really think it would be a big deal. It defiantly does not use the parameters for some hidden system call. I've generally been able to just tell some scanning companies it is a false positive since we are not using hp openview and it gets accepted.