The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

img-sys fails PCI

Discussion in 'Security' started by sehh, Jul 26, 2016.

Tags:
  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Hello everyone,

    While our servers have been passing PCI certification without problem, the latest one failed to pass because the server accepts connections to /img-sys/

    The error is:

    Vulnerability: Undefined CVE, Click Jacking
    instance: /img-sys/
    level: medium
    score: 4.3
    status: FAIL
    Notes:
    Running HTTP service
    HTTP response code was an expected 200
    HTTP header 'Content-Type' present
    HTTP header 'Content-Security-Policy' not present
    HTTP header 'X-Frame-Options' not present

    Anyone seen this before? Why does the scanner think that there is a Click Jacking vulnerability in /img-sys/ ?

    Could it be because someone can remotely use cPanel's images within an i-frame? I've added an .htaccess to img-sys to disable iframe via content security policy.

    Any ideas would be appreciated.

    Thank you.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You can remove the following line from your Apache configuration to disable the "img-sys" alias:

    Code:
    Alias /img-sys /usr/local/cpanel/img-sys/
    As far as the warning message, you can find more information on "Click Jacking" at:

    Clickjacking - OWASP

    Also, have you asked the PCI compliance company for more information about why their report considers this a problem?

    Thank you.
     
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Hello Michael, thank you for your quick answer.

    If I remove the Alias line from httpd.conf, its temporary, how can I make the change permanent so that it stays when EasyApache reconfigures/recompiles Apache?

    I looked at the files in img-sys and they are just a bunch of logos, so hopefully I won't break something important.

    I know what Click Jacking is, but I don't understand why its relevant to img-sys and the logo images it contains, I haven't received a coherent answer from the PCI compliance company. I'm guessing that malicious people are using those logos to present a phishing web page as legitimate, like a fake cPanel login page.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There are a few methods you can use to preserve Apache configuration changes, as documented at:

    Advanced Apache Configuration - EasyApache - cPanel Documentation

    Thank you.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Unfortunately, the above documentation is not very helpful.

    I solved it by adding the following lines to pre_virtualhost_global.conf

    Code:
    Redirect /bandwidth /
    Redirect /img-sys /
    Redirect /java-sys /
    Redirect /sys_cpanel /
    
    Redirect takes precedence over Alias, thus all access to those aliases is being redirected to the virtualhost's public_html, which of course produces 404 errors and solves the problem with the PCI authority. (note: remember to reconfigure/restart httpd)

    I still wonder what those directories are all about, their files seem rather irrelevant to my needs. The java-sys directory contains an SSH terminal in java (spacemusic.au? heh) the img-sys contains lots of cPanel logos and branding, the bandwidth directory redirects to a bandwidth monitor script written in perl. hmmm
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Those directories are for the purpose of features offered by cPanel (e.g. bandmin, SSH terminal, cPanel logos/images for web templates).

    Thank you.
     
  7. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Thank you Michael for the clarification.

    Apparently the PCI compliance company thinks they are being used in phishing scams with fake cPanel logins running within iframes. They require a Content-Security-Policy to disable iframe usage. Not a big deal, really.
     
Loading...

Share This Page