The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Failing PCI Compliance due to MAILMAN - How to block on a site only basis

Discussion in 'Security' started by Mish130, Nov 12, 2012.

  1. Mish130

    Mish130 Registered

    Joined:
    Nov 12, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello Everyone,

    I'm currently failing PCI Compliance scans as the mailman admin page <domain>/mailman/admin/mailman can be accessed via port 80. Unfortunately I reside on a share VPS, and I believe the only solution to this problem is to alter a serverwide setting (either redirecting to port 443, or blocking access totally). Am I correct?

    If so this seems to be a significant issue and means that globally, no site can pass PCI compliance unless mailman is redirected to Port 443 / blocked totally across the entire server.

    Is there a way to block access just on my site? Our hosting company says that cannot change the settings for the entire server. :(
     
  2. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Re: Failing PCI Compliance due to MAILMAN - How to block on a site only bas

    From my understanding is that its just needs to be HTTPS not HTTP. Port 443 is considered HTTPS. All the hosting provider needs to do which is not a bad thing is to have all mailman admin pages be forced for to the HTTPS page.
     
  3. Mish130

    Mish130 Registered

    Joined:
    Nov 12, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Re: Failing PCI Compliance due to MAILMAN - How to block on a site only bas

    Unfortunately that would cause issues for other users - which they won't do. I think the solution is that as a site owner, I should have full control over any part of my site. cPanel doesn't allow me to do that and as a result I cannot meet PCI-DSS guidelines, risking massive fines.
     
  4. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Re: Failing PCI Compliance due to MAILMAN - How to block on a site only bas

    Mish130 I agree its a bad situation.

    My recommendation is to find a cpanel hoster that will meet PCI compilance. Lets be clear this has nothing to do with Cpanel and everything to do with the hosting provider. The Cpanel end user panel unfortunately does not give you that much control.

    In terms of the PCI compliance they will bill you higher on a monthly basis because you are considered a higher risk. You will only risk massive fines if the credit card information gets stolen ff of your server. Which in most cases storing credit cards on your server is always a risky thing.

    Good luck!!
     
  5. Mish130

    Mish130 Registered

    Joined:
    Nov 12, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Re: Failing PCI Compliance due to MAILMAN - How to block on a site only bas

    Sorry Tank, I disagree. It does have everything to do with cPanel. Mailman defaults to HTTP. This is a security risk. cPanel doesn't allow a site owner to change this configuration. Why would you have something that is a security risk to a site out of the control of the site owner?

     
    #5 Mish130, Nov 15, 2012
    Last edited: Nov 15, 2012
  6. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Re: Failing PCI Compliance due to MAILMAN - How to block on a site only bas

    Mish130 I meant no disrespect and did not mean to imply you needed a lesson in PCI compliance. My own experience in PCI compliance comes from doing a several hundred question survey every year on PCI compliance because I am a web hosting provider myself.

    I agree a fix to cpanel globally would a good solution. That needs to come from your web hosting provider. I hope your provider will work with you on this.
     
Loading...

Share This Page