The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance fail - Port 2096

Discussion in 'Security' started by handsonhosting, Aug 16, 2010.

  1. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    We received a report from ControlScan regarding port 2096 and the cookies being set on this port;

    Cookie Without HTTPOnly Attribute Can Be Accessed By Scripts - TCP: 2096

    Information from Target:
    Service: 2096:TCP
    Received: Set-Cookie: logintheme=cpanel; path=/; secure; port=2096

    Any thoughts for a solution?
     
  2. disappointed

    disappointed Active Member

    Joined:
    May 25, 2007
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Houston
    set ports 2095:2096 to drop all attempted connections and you will pass PCI be sure to loop them back to localhost for cpanel and WHM or they will complain about it and shut down services...

    if you need access to these ports your self make sure you place your ip between the loopback and the drop statement to retain use of the service
     
    #2 disappointed, Aug 19, 2010
    Last edited: Aug 19, 2010
  3. ChrisMeisinger

    ChrisMeisinger Registered

    Joined:
    Jun 23, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hey there,

    Two things should be noted here.

    1. This is a fairly minor potential attack vector and shouldn't necessarily dictate a full failure of PCI compliance.

    2 We've already patched this in our internal builds and will be rolling this out fairly soon in the 11.25.0 builds and above. Due to the nature of development, I can't necessarily give you an exact timeline, but the patch is ready to roll and should be released shortly. :)
     
  4. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    No other scanning companies are reporting it as of yet, just ControlScan.

    Disabling the ports as suggested by "disappointed" is not an option as those ports are used for the webmail login.

    Thanks for the update regarding the fix being rolled into a new release.
     
Loading...

Share This Page