Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PCI Compliance Failure on port 2083

Discussion in 'Security' started by aklouie, Jul 18, 2013.

  1. aklouie

    aklouie Registered

    Joined:
    Jul 17, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've been getting security alerts about PCI compliance failure from McAfee. It seems to be because cPanel's session_locale cookie does not force HTTPONLY.

    Vulnerability: Sensitive Cookie Missing 'HTTPONLY' Attribute
    Port: 2083/tcp
    Protocol: https
    Read Timeout: 10000
    Method: GET
    Path: /
    Query: locale=en
    Headers: Host=mydomain.com%3A2083
    Referer=https%3A%2F%2Fmydomain.com%3A2083%2F
    HttpOnly attribute is not used: session_locale=en; expires=Fri, 18-Jul-2014 10:07:32 GMT; path=/; port=2083; secure

    In my WHM, session.cookie_httponly is set to 1.

    Not sure where else to force the session_locale cookie to HttpOnly. Any ideas?
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,962
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    It's likely this is a false positive, however please open a support ticket so we can take a closer look:

    Submit A Ticket

    Post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. aklouie

    aklouie Registered

    Joined:
    Jul 17, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for your response. I submitted a ticket.
    Ticket #: 4298605

    Thanks!
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,962
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Per this ticket, McAfee should be able to confirm this is as false positive. cPanel uses the 'HTTPONLY' attribute on all cookies except those used for the locale. The locale cookie needs to be referenced by scripts for the locale editor to work properly. The login page referenced sets 3 cookies: a login cookie, a session cookie, and a locale cookie. The login and session cookies are both 'HTTPONLY' and therefore cannot be accessed by scripts. The locale cookie can be, but it's of very limited utility, as it simply discloses the language preference.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    263
    Likes Received:
    4
    Trophy Points:
    68
    cPanel Access Level:
    DataCenter Provider
    Hi,

    We just received PCI Compliance today from McAfee on a cPanel machine and we haven't encountered scan failure on this reported problem.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice