Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

img-sys fails PCI

Discussion in 'Security' started by sehh, Jul 26, 2016.

Tags:
  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    Hello everyone,

    While our servers have been passing PCI certification without problem, the latest one failed to pass because the server accepts connections to /img-sys/

    The error is:

    Vulnerability: Undefined CVE, Click Jacking
    instance: /img-sys/
    level: medium
    score: 4.3
    status: FAIL
    Notes:
    Running HTTP service
    HTTP response code was an expected 200
    HTTP header 'Content-Type' present
    HTTP header 'Content-Security-Policy' not present
    HTTP header 'X-Frame-Options' not present

    Anyone seen this before? Why does the scanner think that there is a Click Jacking vulnerability in /img-sys/ ?

    Could it be because someone can remotely use cPanel's images within an i-frame? I've added an .htaccess to img-sys to disable iframe via content security policy.

    Any ideas would be appreciated.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,809
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You can remove the following line from your Apache configuration to disable the "img-sys" alias:

    Code:
    Alias /img-sys /usr/local/cpanel/img-sys/
    As far as the warning message, you can find more information on "Click Jacking" at:

    Clickjacking - OWASP

    Also, have you asked the PCI compliance company for more information about why their report considers this a problem?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    Hello Michael, thank you for your quick answer.

    If I remove the Alias line from httpd.conf, its temporary, how can I make the change permanent so that it stays when EasyApache reconfigures/recompiles Apache?

    I looked at the files in img-sys and they are just a bunch of logos, so hopefully I won't break something important.

    I know what Click Jacking is, but I don't understand why its relevant to img-sys and the logo images it contains, I haven't received a coherent answer from the PCI compliance company. I'm guessing that malicious people are using those logos to present a phishing web page as legitimate, like a fake cPanel login page.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,809
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    There are a few methods you can use to preserve Apache configuration changes, as documented at:

    Advanced Apache Configuration - EasyApache - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    Unfortunately, the above documentation is not very helpful.

    I solved it by adding the following lines to pre_virtualhost_global.conf

    Code:
    Redirect /bandwidth /
    Redirect /img-sys /
    Redirect /java-sys /
    Redirect /sys_cpanel /
    
    Redirect takes precedence over Alias, thus all access to those aliases is being redirected to the virtualhost's public_html, which of course produces 404 errors and solves the problem with the PCI authority. (note: remember to reconfigure/restart httpd)

    I still wonder what those directories are all about, their files seem rather irrelevant to my needs. The java-sys directory contains an SSH terminal in java (spacemusic.au? heh) the img-sys contains lots of cPanel logos and branding, the bandwidth directory redirects to a bandwidth monitor script written in perl. hmmm
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,809
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Those directories are for the purpose of features offered by cPanel (e.g. bandmin, SSH terminal, cPanel logos/images for web templates).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    Thank you Michael for the clarification.

    Apparently the PCI compliance company thinks they are being used in phishing scams with fake cPanel logins running within iframes. They require a Content-Security-Policy to disable iframe usage. Not a big deal, really.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice