Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

In Progress [CPANEL-26253 ] PCI compliance failure due to unsecured Horde cookies

Discussion in 'Security' started by Brian Lack, Mar 12, 2019.

  1. Brian Lack

    Brian Lack Registered

    Joined:
    Mar 12, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I am running cPanel WHM v78.0.16 and have disabled Horde entirely. These unsecure Horde cookies are suddenly being picked up by my PCI scanning provider (Clone Systems ASV) as a failure:
    • Set-Cookie:
      Horde=expired; HttpOnly; domain=.sub.domain.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087
    • Set-Cookie:
      horde_secret_key=expired; HttpOnly; domain=.sub.domain.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087
    Their solution: Set the 'secure' attribute for any cookies that are sent over a ssl/tls connection.

    This is the same issue brought up a year ago in this thread:

    Unsecure cookie still getting sent even though service disabled

    Changing "Require SSL for cPanel Services" does not make a difference.

    It would be nice if cPanel stopped sending these cookies or set the secure flag, as surely more people will now be having PCI compliance issues.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,464
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Brian Lack

    Based on the previous thread that was a false positive. Initially though it was asked that the previous client open a ticket to rule that out.
    Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Brian Lack

    Brian Lack Registered

    Joined:
    Mar 12, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Thanks! Support Request ID is: 11663299
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,464
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Brian Lack


    I checked in on this ticket this morning and found that the analyst did open an internal case for the issue: CPANEL-26253

    The workaround though is that for PCI compliance purposes, this may be able to be reported as a false positive since the connection is forced to use SSL.

    I will update this thread with further information on the case when it is available.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice