PCI: Missing Sandbox Attribute in iFrame Tag vulnerability

[tvcnet]

McAfee stated the following:

The vulnerability is identified on "/controlpanel/", if you look at the HTML source of "yourdomain.xx/controlpanel/"
you can notice that below 'iframes' are missing the 'sandbox' attribute:

"<iframe id="preferedMethod"
src="https://server.name:2083/unprotected/loader.html?random=whMga_PTF
ZSydbN7sVAp7fkTu2gU4U4DpQoeKApWdNw2mxARrYBbgWfEKgtOe0Un"
style="display:none;"></iframe>
<iframe id="nonsecureMethod" src="about:blank"
style="display:none;"></iframe>
<iframe id="proxyMethod" src="about:blank" style="display:none;"></iframe>
<iframe id="nonsecureProxyMethod" src="about:blank"
style="display:none;"></iframe>"

Should I use 'sandbox' attribute?

The 'sandbox' attribute of an iframe enables restrictions on content within
a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5 and only
works with modern browsers, your website content might not work with older
browser versions if you set the 'sandbox' attribute. Also, you need to make
sure that setting the 'sandbox' attribute is compatible with your code.

Refer the below link for more information about the 'sandbox' attribute:
Play safely in sandboxed IFrames - HTML5 Rocks

If it is not feasible to implement 'sandbox' attribute, you may request a
false positive. However, you need to accept risks and liabilities associated
with the vulnerability and mention the reason for submitting it as false
positive.

+++

What is 'sandbox' attribute?
The 'sandbox' attribute of an 'iframe' enables restrictions on content
within a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5.

Why should I care?
The 'sandbox' attribute of an 'iframe' enables restrictions on content
within a 'iframe'. Implementing 'sandbox' attribute will make sure that your
website is more secure and you will have more control of the 'iframe' tag's
actions.

+++


So, cPanel security dudes.
A number of my clients are getting hit by this so I'm wondering your thoughts on this rather esoteric PCI issue?

Thanks,
Jim

 

[Infopro]

I'm curious what this is exactly:

The vulnerability is identified on "/controlpanel/", if you look at the HTML source of "yourdomain.xx/controlpanel/"
you can notice that below 'iframes' are missing the 'sandbox' attribute:

Are you running cPanel in an iframe?

 

[LDHosting]

I'm curious what this is exactly:



Are you running cPanel in an iframe?

/controlpanel is a cPanel alias, the same as doing domain.com/cpanel

ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi

The cPanel redirect page that is displayed when navigating to the aliases contains iframes. (you know, the "If you are behind a firewall enter here" "If you are not behind a firewall enter here" page).

 

[cPanelMichael]

Please open a support ticket so we can investigate and determine if it's a false positive. You can open a ticket via:

Submit A Ticket

Please post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[cPanelNick]

You could add the tags manually in the mean time to /usr/local/cpanel/etc/webtemplates/english/redirect.tmpl

Add the following inside the <iframe tag.

sandbox="allow-same-origin allow-scripts allow-top-navigation"