Yesterday’s PCI Scan by Sysnet indicated a Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl.
The details of the scan noted that the cookies for roundcube_sessid, roundcube_sessauth, Horde, horde_secret_key, PPA_ID, and imp_key, all consisted of common characters among subsequent cookies. Actually the values of all the cookies was “expired”. So even though one could not predict a subsequent session ID, since the values were all the same, the PCI Scan software flagged the values as being predictable sessions IDs.
I raised this as a false positive, and Sysnet accepted my explanation and passed my PCI Scan.
But I have RoundCube and Horde disabled. I don't provide any mail services on my server. So why when I go to port 2087 to access WHM, are these cookies even being sent? When I log in, the only cookie that is actually set is whostmgrsession, and that value is a long string and clearly not anything predictable.
Why is WHM wanting to set all these expired cookies (roundcube_sessid, roundcube_sessauth, Horde, horde_secret_key, PPA_ID, and imp_key)?
Is there a way to turn this behavior off?
Safari and Chrome don't even show these cookies because they are all expired. Firefox lists them in the console log with Cookie “x” has been rejected because it is already expired, for each of those cookies.
The details of the scan noted that the cookies for roundcube_sessid, roundcube_sessauth, Horde, horde_secret_key, PPA_ID, and imp_key, all consisted of common characters among subsequent cookies. Actually the values of all the cookies was “expired”. So even though one could not predict a subsequent session ID, since the values were all the same, the PCI Scan software flagged the values as being predictable sessions IDs.
I raised this as a false positive, and Sysnet accepted my explanation and passed my PCI Scan.
But I have RoundCube and Horde disabled. I don't provide any mail services on my server. So why when I go to port 2087 to access WHM, are these cookies even being sent? When I log in, the only cookie that is actually set is whostmgrsession, and that value is a long string and clearly not anything predictable.
Why is WHM wanting to set all these expired cookies (roundcube_sessid, roundcube_sessauth, Horde, horde_secret_key, PPA_ID, and imp_key)?
Is there a way to turn this behavior off?
Safari and Chrome don't even show these cookies because they are all expired. Firefox lists them in the console log with Cookie “x” has been rejected because it is already expired, for each of those cookies.