PCI Compliance Failure on port 2083

[aklouie]

I've been getting security alerts about PCI compliance failure from McAfee. It seems to be because cPanel's session_locale cookie does not force HTTPONLY.

Vulnerability: Sensitive Cookie Missing 'HTTPONLY' Attribute
Port: 2083/tcp
Protocol: https
Read Timeout: 10000
Method: GET
Path: /
Query: locale=en
Headers: Host=mydomain.com%3A2083
Referer=https%3A%2F%2Fmydomain.com%3A2083%2F
HttpOnly attribute is not used: session_locale=en; expires=Fri, 18-Jul-2014 10:07:32 GMT; path=/; port=2083; secure

In my WHM, session.cookie_httponly is set to 1.

Not sure where else to force the session_locale cookie to HttpOnly. Any ideas?

 

[cPanelMichael]

Hello

It's likely this is a false positive, however please open a support ticket so we can take a closer look:

Submit A Ticket

Post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[aklouie]

Thanks for your response. I submitted a ticket.
Ticket #: 4298605

Thanks!

 

[cPanelMichael]

Per this ticket, McAfee should be able to confirm this is as false positive. cPanel uses the 'HTTPONLY' attribute on all cookies except those used for the locale. The locale cookie needs to be referenced by scripts for the locale editor to work properly. The login page referenced sets 3 cookies: a login cookie, a session cookie, and a locale cookie. The login and session cookies are both 'HTTPONLY' and therefore cannot be accessed by scripts. The locale cookie can be, but it's of very limited utility, as it simply discloses the language preference.

Thank you.

 

[InterServed]

Hi,

We just received PCI Compliance today from McAfee on a cPanel machine and we haven't encountered scan failure on this reported problem.