McAfee stated the following:
The vulnerability is identified on "/controlpanel/", if you look at the HTML source of "yourdomain.xx/controlpanel/"
you can notice that below 'iframes' are missing the 'sandbox' attribute:
"<iframe id="preferedMethod"
src="https://server.name:2083/unprotected/loader.html?random=whMga_PTF
ZSydbN7sVAp7fkTu2gU4U4DpQoeKApWdNw2mxARrYBbgWfEKgtOe0Un"
style="display:none;"></iframe>
<iframe id="nonsecureMethod" src="about:blank"
style="display:none;"></iframe>
<iframe id="proxyMethod" src="about:blank" style="display:none;"></iframe>
<iframe id="nonsecureProxyMethod" src="about:blank"
style="display:none;"></iframe>"
Should I use 'sandbox' attribute?
The 'sandbox' attribute of an iframe enables restrictions on content within
a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5 and only
works with modern browsers, your website content might not work with older
browser versions if you set the 'sandbox' attribute. Also, you need to make
sure that setting the 'sandbox' attribute is compatible with your code.
Refer the below link for more information about the 'sandbox' attribute:
Play safely in sandboxed IFrames - HTML5 Rocks
If it is not feasible to implement 'sandbox' attribute, you may request a
false positive. However, you need to accept risks and liabilities associated
with the vulnerability and mention the reason for submitting it as false
positive.
+++
What is 'sandbox' attribute?
The 'sandbox' attribute of an 'iframe' enables restrictions on content
within a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5.
Why should I care?
The 'sandbox' attribute of an 'iframe' enables restrictions on content
within a 'iframe'. Implementing 'sandbox' attribute will make sure that your
website is more secure and you will have more control of the 'iframe' tag's
actions.
+++
So, cPanel security dudes.
A number of my clients are getting hit by this so I'm wondering your thoughts on this rather esoteric PCI issue?
Thanks,
Jim
The vulnerability is identified on "/controlpanel/", if you look at the HTML source of "yourdomain.xx/controlpanel/"
you can notice that below 'iframes' are missing the 'sandbox' attribute:
"<iframe id="preferedMethod"
src="https://server.name:2083/unprotected/loader.html?random=whMga_PTF
ZSydbN7sVAp7fkTu2gU4U4DpQoeKApWdNw2mxARrYBbgWfEKgtOe0Un"
style="display:none;"></iframe>
<iframe id="nonsecureMethod" src="about:blank"
style="display:none;"></iframe>
<iframe id="proxyMethod" src="about:blank" style="display:none;"></iframe>
<iframe id="nonsecureProxyMethod" src="about:blank"
style="display:none;"></iframe>"
Should I use 'sandbox' attribute?
The 'sandbox' attribute of an iframe enables restrictions on content within
a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5 and only
works with modern browsers, your website content might not work with older
browser versions if you set the 'sandbox' attribute. Also, you need to make
sure that setting the 'sandbox' attribute is compatible with your code.
Refer the below link for more information about the 'sandbox' attribute:
Play safely in sandboxed IFrames - HTML5 Rocks
If it is not feasible to implement 'sandbox' attribute, you may request a
false positive. However, you need to accept risks and liabilities associated
with the vulnerability and mention the reason for submitting it as false
positive.
+++
What is 'sandbox' attribute?
The 'sandbox' attribute of an 'iframe' enables restrictions on content
within a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5.
Why should I care?
The 'sandbox' attribute of an 'iframe' enables restrictions on content
within a 'iframe'. Implementing 'sandbox' attribute will make sure that your
website is more secure and you will have more control of the 'iframe' tag's
actions.
+++
So, cPanel security dudes.
A number of my clients are getting hit by this so I'm wondering your thoughts on this rather esoteric PCI issue?
Thanks,
Jim