PCI Compliance Failure on port 2083

aklouie

Registered
Jul 17, 2013
2
0
1
cPanel Access Level
Root Administrator
I've been getting security alerts about PCI compliance failure from McAfee. It seems to be because cPanel's session_locale cookie does not force HTTPONLY.

Vulnerability: Sensitive Cookie Missing 'HTTPONLY' Attribute
Port: 2083/tcp
Protocol: https
Read Timeout: 10000
Method: GET
Path: /
Query: locale=en
Headers: Host=mydomain.com%3A2083
Referer=https%3A%2F%2Fmydomain.com%3A2083%2F
HttpOnly attribute is not used: session_locale=en; expires=Fri, 18-Jul-2014 10:07:32 GMT; path=/; port=2083; secure

In my WHM, session.cookie_httponly is set to 1.

Not sure where else to force the session_locale cookie to HttpOnly. Any ideas?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

It's likely this is a false positive, however please open a support ticket so we can take a closer look:

Submit A Ticket

Post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Per this ticket, McAfee should be able to confirm this is as false positive. cPanel uses the 'HTTPONLY' attribute on all cookies except those used for the locale. The locale cookie needs to be referenced by scripts for the locale editor to work properly. The login page referenced sets 3 cookies: a login cookie, a session cookie, and a locale cookie. The login and session cookies are both 'HTTPONLY' and therefore cannot be accessed by scripts. The locale cookie can be, but it's of very limited utility, as it simply discloses the language preference.

Thank you.