The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI DSS compliance with cPanel login form

Discussion in 'cPanel Developers' started by simonpearce, Feb 17, 2012.

  1. simonpearce

    simonpearce Well-Known Member

    Joined:
    Jun 20, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I currently offer a cPanel login form via a secure page on our website using the following code:

    Code:
    <form class="quicklinksForm" name="logincpanel" action="cpanel.php" method="post" target="_blank">
    
    		<input type="hidden" name="port" value="2082"/>
    
    		<p align="center">
    	      <input name="domain" type="text" id="cpaneldomain"/>
    	    </p>
    	    <p align="center">
    	      <input name="user" type="text" id="cpanelusername"/>
    	    </p>
    	    <p align="center">
    	      <input name="pass" type="password" id="cpanelpassword"/>
    		</p>
    	    <p align="center">
              <input name="buttonGo" class="blueSubmit" id="buttonGo2" type="submit" value="Login" />
    	    </p>
    	    <p align="center">If you have forgotten your cpanel password, login to your client area above and choose 'My Emails' to find your welcome email </p>
    </form>
    
    and

    Code:
    <html>
    <?php
    
       #your domain or ip
       $domain = $_POST['domain'];
       $newdomain = str_replace("www.","",$domain);
    
       if(!$_POST['buttonGo']) {
       exit;
       }
    
       $user = $_POST['user'];
       $pass = $_POST['pass'];
       $port = $_POST['port'];
    
       $port == "2083" || $port == "2096" ? $pre = "https://" : $pre = "http://www.";
       $port == "2095" || $port == "2096" && !eregi("@", $user) ? $user = "".$user."@".$newdomain."" : $user = $user;
    
    ?>
    <body onLoad="setTimeout('document.forms[0].submit();',10)">
    <form action="<?php echo "".$pre."".$newdomain.":".$port."/login/"; ?>" method="post">
    <input type="hidden" name="user" value="<?php echo $user; ?>">
    <input type="hidden" name="pass" value="<?php echo $pass; ?>">
    </form>
    </body>
    </html>
    ... but this is now failing our PCI DSS compliance due to:

    Code:
    Vulnerability Details: Service: 443:TCP SENT: POST  /login/cpanel.php HTTP/1.0 Host: www.xxx.co.uk User-Agent: Mozilla/5.0 Content-length: 128 Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cookie: logintheme=cpanel; PHPSESSID=46d3fe293ef706aa71400a37c8af39e	a; webmailsession=yCeHpljtpIxrsNRMcGrpxOLkkM	Zh5HIZON43i0YGk2IDaZCrylSdxxppBENL3ly0; webmailrelogin=no; whostmgrrelogin=no; whostmgrsession=pA8DQghmH6LwLJtaLvT0Knh74 XO71QGzmItJkvzfdjaKgQFZrrGfq78ujUeJo8EP; cpsession=_O2olmMori7tuztG1xeYWS4pwi6AQCE PfKi4m3SjiyfntBAmnT_Vh0eX7NEBHZwW; cprelogin=no port=123&domain=%3Cscript%3Ealert%28%27SA INTL2xvZ2luL2NwYW5lbC5waHAgZG9tYWlu%27%29% 3C%2Fscript%3E&user=123&pass=123&buttonGo=	123 RECEIVED: <form action="http://www.<script>alert(\'SAINT	L2xvZ2luL2NwYW5lbC5waHAgZG9tYWlu\')</scri	pt>:123/login/" method="post"> 
    Can anyone help me get round this?

    Thanks!

    Simon
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I advise against using the plain-text ports if you can help it. Use the SSL ports instead: 2083, 2087 and 2096 for cPanel, WHM and Webmail respectively.

    It's hard to determine what, precisely, the PCI Compliance scanner is complaining about - perhaps that you're connecting to your cPanel.php over a plain text connection before handing off to the cPanel login? Might be worth inquiring about what they are trying to bring to your attention there.
     
  3. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    What they're saying is that this code (in red) is insecure and potentially able to be abused.

    Code:
    <html>
    <?php
    
    [COLOR="#FF0000"]   #your domain or ip
       $domain = $_POST['domain'];
       $newdomain = str_replace("www.","",$domain);[/COLOR]
    
       if(!$_POST['buttonGo']) {
       exit;
       }
    
       $user = $_POST['user'];
       $pass = $_POST['pass'];
       $port = $_POST['port'];
    
       $port == "2083" || $port == "2096" ? $pre = "https://" : $pre = "http://www.";
       $port == "2095" || $port == "2096" && !eregi("@", $user) ? $user = "".$user."@".$newdomain."" : $user = $user;
    
    ?>
    <body onLoad="setTimeout('document.forms[0].submit();',10)">
    [COLOR="#FF0000"]<form action="<?php echo "".$pre."".$newdomain.":".$port."/login/"; ?>" method="post">[/COLOR]
    <input type="hidden" name="user" value="<?php echo $user; ?>">
    <input type="hidden" name="pass" value="<?php echo $pass; ?>">
    </form>
    </body>
    </html>
    
    Look at this portion of the POST payload they're sending:

    Code:
    &domain=%3Cscript%3Ealert%28%27SA INTL2xvZ2luL2NwYW5lbC5waHAgZG9tYWlu%27%29% 3C%2Fscript%3E
    
    They're sending a snippet of javascript to the 'domain' POST var to your script.

    Your script then happily takes this <script></script> payload and prints it out to the page. You're performing zero input sanitization and allowing anyone to force your script to print any HTML/JavaScript they want on your website. This could lead to someone linking to your website, with some hidden JavaScript payload, and do something malicious with the input your user supplies. The PCI compliance company basically tested to see if they could do just that, and confirmed that it was possible so they are alerting you to that fact.

    Note: The $user, $pass and $port vars are able to be abused for the same reason and in the same fashion, too.

    I'd advise reading up some documentation on input sanitization and just general practices for secure coding. The page, as it stands, permits open abuse. That's what the PCI DSS compliance report is alerting you to.
     
  4. simonpearce

    simonpearce Well-Known Member

    Joined:
    Jun 20, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Thanks guys - I'll get on that now.
     

Share This Page