PCI Compliance and "help.php"

Myflag

Registered
Dec 5, 2013
1
0
1
cPanel Access Level
Root Administrator
Hello Forum Members,

I am currently in the process of certifying one of my servers to be PCI Compliant. I have resolved all of the reported security vulnerabilities except the following:

Code:
Security Warning found on port/service "www (2096/tcp)"

																											
	
    Status
	
Fail (This must be resolved for your device to be compliant).
    Plugin
	
 "TrustPort WebFilter help.php hf Parameter Directory Traversal"


    Category
	
 "CGI abuses "

	
    Priority
	
 "Medium Priority

    Synopsis

	
   The remote web server hosts a PHP script that can be abused to disclose
the contents of arbitrary files.

	
    Description


    The TrustPort WebFilter administration console install listening on
this port fails to sanitize user input to the 'hf' parameter of the
'help.php' script before using it to return the contents of a file. 

An unauthenticated, remote attacker can leverage this issue to view
arbitrary files on the remote host.

	


	
See also:
	
http://www.securityfocus.com/archive/1/527826/30/0/threaded

	


    Risk factor
   MEDIUM / CVSS BASE SCORE :5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

	


	
Plugin
output
	
    
Nessus was able to obtain the contents of 'windows/win.ini' with the
following request :

 https://mydomain.net:2096/help.php?hf=Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4v
Li4vLi4vLi4vLi4vd2luZG93cy93aW4uaW5p
I am having the "help.php" problem with ports 2083, 2053, 8443, 2087, 2096.

What would you recommend I do to prevent this vulnerability and pass the PCI Compliance scan?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
This is a false positive. They are erroneously thinking that cPanel services are "TrustPort WebFilter"

A statement from you that "TrustPort WebFilter" is not installed, and that port 2096 is a cPanel webmail service should be sufficient to appeal this as a false positive.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

You can show them that cPanel listens on these ports:

Code:
[~]# netstat -lnp | grep :2096
tcp        0      0 0.0.0.0:2096                0.0.0.0:*                   LISTEN      6583/cpsrvd (SSL) -
Code:
[~]# netstat -lnp | grep :208
tcp        0      0 0.0.0.0:2082                0.0.0.0:*                   LISTEN      6583/cpsrvd (SSL) - 
tcp        0      0 0.0.0.0:2083                0.0.0.0:*                   LISTEN      6583/cpsrvd (SSL) - 
tcp        0      0 0.0.0.0:2086                0.0.0.0:*                   LISTEN      6583/cpsrvd (SSL) - 
tcp        0      0 0.0.0.0:2087                0.0.0.0:*                   LISTEN      6583/cpsrvd (SSL) -
I noticed you mentioned ports 2053 and 8443. What services do you have listening on these ports?

Thank you.