The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance Failure on port 2083

Discussion in 'Security' started by aklouie, Jul 18, 2013.

  1. aklouie

    aklouie Registered

    Joined:
    Jul 17, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've been getting security alerts about PCI compliance failure from McAfee. It seems to be because cPanel's session_locale cookie does not force HTTPONLY.

    Vulnerability: Sensitive Cookie Missing 'HTTPONLY' Attribute
    Port: 2083/tcp
    Protocol: https
    Read Timeout: 10000
    Method: GET
    Path: /
    Query: locale=en
    Headers: Host=mydomain.com%3A2083
    Referer=https%3A%2F%2Fmydomain.com%3A2083%2F
    HttpOnly attribute is not used: session_locale=en; expires=Fri, 18-Jul-2014 10:07:32 GMT; path=/; port=2083; secure

    In my WHM, session.cookie_httponly is set to 1.

    Not sure where else to force the session_locale cookie to HttpOnly. Any ideas?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's likely this is a false positive, however please open a support ticket so we can take a closer look:

    Submit A Ticket

    Post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  3. aklouie

    aklouie Registered

    Joined:
    Jul 17, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for your response. I submitted a ticket.
    Ticket #: 4298605

    Thanks!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Per this ticket, McAfee should be able to confirm this is as false positive. cPanel uses the 'HTTPONLY' attribute on all cookies except those used for the locale. The locale cookie needs to be referenced by scripts for the locale editor to work properly. The login page referenced sets 3 cookies: a login cookie, a session cookie, and a locale cookie. The login and session cookies are both 'HTTPONLY' and therefore cannot be accessed by scripts. The locale cookie can be, but it's of very limited utility, as it simply discloses the language preference.

    Thank you.
     
  5. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Hi,

    We just received PCI Compliance today from McAfee on a cPanel machine and we haven't encountered scan failure on this reported problem.
     
Loading...

Share This Page