In Progress [CPANEL-26253 ] PCI compliance failure due to unsecured Horde cookies

Brian Lack

Registered
Mar 12, 2019
2
0
1
Canada
cPanel Access Level
Root Administrator
I am running cPanel WHM v78.0.16 and have disabled Horde entirely. These unsecure Horde cookies are suddenly being picked up by my PCI scanning provider (Clone Systems ASV) as a failure:
  • Set-Cookie:
    Horde=expired; HttpOnly; domain=.sub.domain.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087
  • Set-Cookie:
    horde_secret_key=expired; HttpOnly; domain=.sub.domain.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087
Their solution: Set the 'secure' attribute for any cookies that are sent over a ssl/tls connection.

This is the same issue brought up a year ago in this thread:

Unsecure cookie still getting sent even though service disabled

Changing "Require SSL for cPanel Services" does not make a difference.

It would be nice if cPanel stopped sending these cookies or set the secure flag, as surely more people will now be having PCI compliance issues.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Hi @Brian Lack

Based on the previous thread that was a false positive. Initially though it was asked that the previous client open a ticket to rule that out.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Hello @Brian Lack


I checked in on this ticket this morning and found that the analyst did open an internal case for the issue: CPANEL-26253

The workaround though is that for PCI compliance purposes, this may be able to be reported as a false positive since the connection is forced to use SSL.

I will update this thread with further information on the case when it is available.

Thanks!