PCI: Missing Sandbox Attribute in iFrame Tag vulnerability

tvcnet

Well-Known Member
PartnerNOC
Aug 15, 2003
118
0
166
San Diego
cPanel Access Level
DataCenter Provider
McAfee stated the following:

The vulnerability is identified on "/controlpanel/", if you look at the HTML source of "yourdomain.xx/controlpanel/"
you can notice that below 'iframes' are missing the 'sandbox' attribute:

"<iframe id="preferedMethod"
src="https://server.name:2083/unprotected/loader.html?random=whMga_PTF
ZSydbN7sVAp7fkTu2gU4U4DpQoeKApWdNw2mxARrYBbgWfEKgtOe0Un"
style="display:none;"></iframe>
<iframe id="nonsecureMethod" src="about:blank"
style="display:none;"></iframe>
<iframe id="proxyMethod" src="about:blank" style="display:none;"></iframe>
<iframe id="nonsecureProxyMethod" src="about:blank"
style="display:none;"></iframe>"

Should I use 'sandbox' attribute?

The 'sandbox' attribute of an iframe enables restrictions on content within
a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5 and only
works with modern browsers, your website content might not work with older
browser versions if you set the 'sandbox' attribute. Also, you need to make
sure that setting the 'sandbox' attribute is compatible with your code.

Refer the below link for more information about the 'sandbox' attribute:
Play safely in sandboxed IFrames - HTML5 Rocks

If it is not feasible to implement 'sandbox' attribute, you may request a
false positive. However, you need to accept risks and liabilities associated
with the vulnerability and mention the reason for submitting it as false
positive.

+++

What is 'sandbox' attribute?
The 'sandbox' attribute of an 'iframe' enables restrictions on content
within a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5.

Why should I care?
The 'sandbox' attribute of an 'iframe' enables restrictions on content
within a 'iframe'. Implementing 'sandbox' attribute will make sure that your
website is more secure and you will have more control of the 'iframe' tag's
actions.

+++


So, cPanel security dudes.
A number of my clients are getting hit by this so I'm wondering your thoughts on this rather esoteric PCI issue?

Thanks,
Jim
 

LDHosting

Well-Known Member
Jan 19, 2008
93
2
58
cPanel Access Level
Root Administrator
I'm curious what this is exactly:



Are you running cPanel in an iframe?
/controlpanel is a cPanel alias, the same as doing domain.com/cpanel

Code:
ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
The cPanel redirect page that is displayed when navigating to the aliases contains iframes. (you know, the "If you are behind a firewall enter here" "If you are not behind a firewall enter here" page).
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Please open a support ticket so we can investigate and determine if it's a false positive. You can open a ticket via:

Submit A Ticket

Please post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
You could add the tags manually in the mean time to /usr/local/cpanel/etc/webtemplates/english/redirect.tmpl

Add the following inside the <iframe tag.

sandbox="allow-same-origin allow-scripts allow-top-navigation"