The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

insecure cookie(port 2083) PCI failure

Discussion in 'General Discussion' started by EWD, Nov 7, 2008.

  1. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Here are the latest failures:

    2083 - Missing Secure Attribute in an Encrypted Session (SSL) Cookie - The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. - It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.

    2083 - Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie - The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. The information that was sent was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id's, or passwords. - It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them. Speak with your web developer to have them enable the secure attribute on cookies sent over secure connections.
     
  2. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Any ideas on this issue?

    Thanks :)
     
  3. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Full cPanel version number please.
     
  4. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Sorry cpanelkenneth

    Original report was running on cPanel 11.24.0-C30789
    Upgraded today to cPanel 11.24.0-C30898 and the issue is still present.

    Thanks ;)
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Thank you. I'll pass this along to the developers.
     

Share This Page