The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 35876] cpdavd via http PCI compliance issue

Discussion in 'General Discussion' started by Serra, Nov 4, 2011.

  1. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I got hit on a PCI compliance issue where cpdavd is accessible via http. I found several older threads about this, but they all indicate that the issue should be close now that I'm on 11.30.4.

    If I go to my server via server.com I get a login pop up. Shouldn't that be forced to https?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can change your Redirection settings here:
    WHM > Server Configuration > Tweak Settings, Redirection tab.
     
  3. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I have "Always redirect to SSL" set to ON, it been set like that for years. I've test the URL at port 2077 and it is not being redirected.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I suggest opening a support ticket with our staff so we can see the exact configuration in-place and offer advice. You can open a ticket using the following URL:

    Submit A Ticket

    Thank you.
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The redirection tweak setting doesn't apply to cpdavd, only cpsrvd.
     
  6. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    So should cpdavd be redirected or not? It is not being redirected now. Is there a way to redirect it so that it doesn't show up on my PCI report?
     
  7. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    Resolution: After putting in a ticket I was told that cpdavd is not PCI compliant and can't be made so. The only resolution offered was to block port 2077 to prevent cpdavd from using basic authentication. I've done that, I don't believe any of my customers are using cpdavd, but if they were, the only way to allow it would be to pinhole that customer for that port, while that would also be PCI noncomplainant, it wouldn't show up on the PCI reports.

    I got the impression that at some point this may be resolved with an upgrade.
     
  8. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi,

    May be future release of cPanel will covered this bug but it is easy to block the pci non-compliant port in firewall.
     
  9. cPdans

    cPdans Member
    Staff Member

    Joined:
    Sep 6, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I certainly understand and appreciate your desire for this feature. Please feel free to open a feature request so that we may look into the possibility of introducing this in future releases.

    Feature Requests for cPanel/WHM

    Thank you for your interest in improving cPanel.
     
  10. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    How can it be a feature IF cpanel software would fail a compliance audit by allowing 2077 in the first place? Please post some global apache include mod_rewrite on the insecure port(s)?
     
  11. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    We have case 35876 opened internally to restrict WebDAV (cpdavd) to listen only on SSL ports. I've added this forum discussion to that case so your concerns are noted there.

    As for mod_rewrite, mod_rewrite would not be the ideal solution to blocking a port. Blocking port 2077 in the firewall or iptables would be faster to process, easier to accomplish, and less intensive on the machine. As such, simply remove port 2077 for listening in your firewall:

    Code:
    /sbin/iptables -I INPUT -p tcp --destination-port 2077 -j DROP
    After blocking the port for incoming connections, then save the firewall rules:

    Code:
    service iptables save
     
  12. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Just wanted to add support for a solution to this issue other than a simple firewall block of the port.
    cPanel should strive to resolve any PCI issues related to the product itself and running an insecure access for WebDISK opens a PCI issue so please provide an integrated option to disable insecure access via WHM.
     
  13. Blakles

    Blakles Member

    Joined:
    Mar 9, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How exactly do you block port 2077 in the firewall or iptable? Where do you go inside WHM to do this?
    I tried going to WHM > ConfigServer Security & Firewall > Firewall Configuration and removed 2077 from the 'Allow incoming TCP ports' section, but I still get a login box when visiting: domain.com:2077 or http://ip:2077
     
  14. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    Since CSF isn't provided by cPanel as part of WHM, I cannot detail how to block the port in CSF. I can detail how to do it in root SSH command line via iptables:

    Code:
    /sbin/iptables -I INPUT -p tcp --dport 2077 -j DROP
    I used the above to block the port and it worked for me. You'd then need to save the new configuration:

    Code:
    service iptables save
    You may wish to post on the CSF forum for questions on how to configure settings in their firewall software:

    CSF Forum

    Thanks!
     
  15. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    What you did is correct so your own IP is likely on the allow list which is why you were still able to access port 2077.
     
  16. dolphyn

    dolphyn Well-Known Member

    Joined:
    Nov 27, 2001
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I agree there should be an option to require SSL for cpdavd. Firewall blocking isn't really a solution, because the PCI people insist on being whitelisted in firewall settings. :rolleyes:


    If you don't need cpdavd, you can disable it completely:
    Code:
    /usr/local/cpanel/etc/init/stopcpdavd
    
    touch /etc/cpdavddisable
    Then use WHM Feature Manager "disabled" feature list to remove the icon from CPanel.

    The /etc/cpdavddisable file doesn't need to be empty, so you can edit it to give yourself a reminder of why it's there. I included the URL of this forum thread in mine. :)


    (I don't know if /etc/cpdavddisable is documented anywhere, but I happened to notice a reference to it in /usr/local/cpanel/etc/init/startcpdavd.)
     
  17. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    Is the case with Web Disk going to get fixed?

    I had customers using it until PCI Scans killed that feature so I had a few not very happy customers when I had to remove Web Disk do to PCI Compliance.
     
  18. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    In CSF the port is listed in the configuration as a TCP port as part of the long list of ports. Just remove it from the list and it will block the port.
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Case 35876 is still open at this time. There is currently no time frame available on if/when a change in the existing behavior will be made.

    Thank you.
     
  20. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    Any more word and more information on Case 35876?
     
Loading...

Share This Page