[Case 35876] cpdavd via http PCI compliance issue

[Serra]

I got hit on a PCI compliance issue where cpdavd is accessible via http. I found several older threads about this, but they all indicate that the issue should be close now that I'm on 11.30.4.

If I go to my server via server.com I get a login pop up. Shouldn't that be forced to https?

 

[Infopro]

You can change your Redirection settings here:
WHM > Server Configuration > Tweak Settings, Redirection tab.

 

[Serra]

I have "Always redirect to SSL" set to ON, it been set like that for years. I've test the URL at port 2077 and it is not being redirected.

 

[cPanelMichael]

Hello

I suggest opening a support ticket with our staff so we can see the exact configuration in-place and offer advice. You can open a ticket using the following URL:

Submit A Ticket

Thank you.

 

[cPanelKenneth]

The redirection tweak setting doesn't apply to cpdavd, only cpsrvd.

 

[Serra]

So should cpdavd be redirected or not? It is not being redirected now. Is there a way to redirect it so that it doesn't show up on my PCI report?

 

[Serra]

Resolution: After putting in a ticket I was told that cpdavd is not PCI compliant and can't be made so. The only resolution offered was to block port 2077 to prevent cpdavd from using basic authentication. I've done that, I don't believe any of my customers are using cpdavd, but if they were, the only way to allow it would be to pinhole that customer for that port, while that would also be PCI noncomplainant, it wouldn't show up on the PCI reports.

I got the impression that at some point this may be resolved with an upgrade.

 

[storminternet]

Hi,

May be future release of cPanel will covered this bug but it is easy to block the pci non-compliant port in firewall.

 

[DanS.]

Hello,

I certainly understand and appreciate your desire for this feature. Please feel free to open a feature request so that we may look into the possibility of introducing this in future releases.

Feature Requests for cPanel/WHM

Thank you for your interest in improving cPanel.

 

[inetbizo]

How can it be a feature IF cpanel software would fail a compliance audit by allowing 2077 in the first place? Please post some global apache include mod_rewrite on the insecure port(s)?

 

[cPanelTristan]

We have case 35876 opened internally to restrict WebDAV (cpdavd) to listen only on SSL ports. I've added this forum discussion to that case so your concerns are noted there.

As for mod_rewrite, mod_rewrite would not be the ideal solution to blocking a port. Blocking port 2077 in the firewall or iptables would be faster to process, easier to accomplish, and less intensive on the machine. As such, simply remove port 2077 for listening in your firewall:

/sbin/iptables -I INPUT -p tcp --destination-port 2077 -j DROP

After blocking the port for incoming connections, then save the firewall rules:

service iptables save

 

[DomineauX]

Just wanted to add support for a solution to this issue other than a simple firewall block of the port.
cPanel should strive to resolve any PCI issues related to the product itself and running an insecure access for WebDISK opens a PCI issue so please provide an integrated option to disable insecure access via WHM.

 

[Blakles]

We have case 35876 opened internally to restrict WebDAV (cpdavd) to listen only on SSL ports. I've added this forum discussion to that case so your concerns are noted there.

As for mod_rewrite, mod_rewrite would not be the ideal solution to blocking a port. Blocking port 2077 in the firewall or iptables would be faster to process, easier to accomplish, and less intensive on the machine. As such, simply remove port 2077 for listening in your firewall:

/sbin/iptables -I INPUT -p tcp --destination-port 2077 -j DROP

After blocking the port for incoming connections, then save the firewall rules:

service iptables save

How exactly do you block port 2077 in the firewall or iptable? Where do you go inside WHM to do this?
I tried going to WHM > ConfigServer Security & Firewall > Firewall Configuration and removed 2077 from the 'Allow incoming TCP ports' section, but I still get a login box when visiting: domain.com:2077 or http://ip:2077

 

[cPanelTristan]

Hello,

Since CSF isn't provided by cPanel as part of WHM, I cannot detail how to block the port in CSF. I can detail how to do it in root SSH command line via iptables:

/sbin/iptables -I INPUT -p tcp --dport 2077 -j DROP

I used the above to block the port and it worked for me. You'd then need to save the new configuration:

service iptables save

You may wish to post on the CSF forum for questions on how to configure settings in their firewall software:

CSF Forum

Thanks!

 

[DomineauX]

How exactly do you block port 2077 in the firewall or iptable? Where do you go inside WHM to do this?
I tried going to WHM > ConfigServer Security & Firewall > Firewall Configuration and removed 2077 from the 'Allow incoming TCP ports' section, but I still get a login box when visiting: domain.com:2077 or http://ip:2077

What you did is correct so your own IP is likely on the allow list which is why you were still able to access port 2077.

 

[dolphyn]

I agree there should be an option to require SSL for cpdavd. Firewall blocking isn't really a solution, because the PCI people insist on being whitelisted in firewall settings.


If you don't need cpdavd, you can disable it completely:

/usr/local/cpanel/etc/init/stopcpdavd

touch /etc/cpdavddisable

Then use WHM Feature Manager "disabled" feature list to remove the icon from CPanel.

The /etc/cpdavddisable file doesn't need to be empty, so you can edit it to give yourself a reminder of why it's there. I included the URL of this forum thread in mine.


(I don't know if /etc/cpdavddisable is documented anywhere, but I happened to notice a reference to it in /usr/local/cpanel/etc/init/startcpdavd.)

 

[vlee]

I agree there should be an option to require SSL for cpdavd. Firewall blocking isn't really a solution, because the PCI people insist on being whitelisted in firewall settings.


If you don't need cpdavd, you can disable it completely:

/usr/local/cpanel/etc/init/stopcpdavd

touch /etc/cpdavddisable

Then use WHM Feature Manager "disabled" feature list to remove the icon from CPanel.

The /etc/cpdavddisable file doesn't need to be empty, so you can edit it to give yourself a reminder of why it's there. I included the URL of this forum thread in mine.


(I don't know if /etc/cpdavddisable is documented anywhere, but I happened to notice a reference to it in /usr/local/cpanel/etc/init/startcpdavd.)

Is the case with Web Disk going to get fixed?

I had customers using it until PCI Scans killed that feature so I had a few not very happy customers when I had to remove Web Disk do to PCI Compliance.

 

[Serra]

Since CSF isn't provided by cPanel as part of WHM, I cannot detail how to block the port in CSF.

In CSF the port is listed in the configuration as a TCP port as part of the long list of ports. Just remove it from the list and it will block the port.

 

[cPanelMichael]

Is the case with Web Disk going to get fixed?

I had customers using it until PCI Scans killed that feature so I had a few not very happy customers when I had to remove Web Disk do to PCI Compliance.

Case 35876 is still open at this time. There is currently no time frame available on if/when a change in the existing behavior will be made.

Thank you.

 

[vlee]

Case 35876 is still open at this time. There is currently no time frame available on if/when a change in the existing behavior will be made.

Thank you.

Any more word and more information on Case 35876?