Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PCI: Missing Sandbox Attribute in iFrame Tag vulnerability

Discussion in 'Security' started by tvcnet, Aug 2, 2013.

  1. tvcnet

    tvcnet Well-Known Member PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    McAfee stated the following:

    The vulnerability is identified on "/controlpanel/", if you look at the HTML source of "yourdomain.xx/controlpanel/"
    you can notice that below 'iframes' are missing the 'sandbox' attribute:

    "<iframe id="preferedMethod"
    src="https://server.name:2083/unprotected/loader.html?random=whMga_PTF
    ZSydbN7sVAp7fkTu2gU4U4DpQoeKApWdNw2mxARrYBbgWfEKgtOe0Un"
    style="display:none;"></iframe>
    <iframe id="nonsecureMethod" src="about:blank"
    style="display:none;"></iframe>
    <iframe id="proxyMethod" src="about:blank" style="display:none;"></iframe>
    <iframe id="nonsecureProxyMethod" src="about:blank"
    style="display:none;"></iframe>"

    Should I use 'sandbox' attribute?

    The 'sandbox' attribute of an iframe enables restrictions on content within
    a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5 and only
    works with modern browsers, your website content might not work with older
    browser versions if you set the 'sandbox' attribute. Also, you need to make
    sure that setting the 'sandbox' attribute is compatible with your code.

    Refer the below link for more information about the 'sandbox' attribute:
    Play safely in sandboxed IFrames - HTML5 Rocks

    If it is not feasible to implement 'sandbox' attribute, you may request a
    false positive. However, you need to accept risks and liabilities associated
    with the vulnerability and mention the reason for submitting it as false
    positive.

    +++

    What is 'sandbox' attribute?
    The 'sandbox' attribute of an 'iframe' enables restrictions on content
    within a 'iframe'. The 'sandbox' attribute is new, introduced in HTML5.

    Why should I care?
    The 'sandbox' attribute of an 'iframe' enables restrictions on content
    within a 'iframe'. Implementing 'sandbox' attribute will make sure that your
    website is more secure and you will have more control of the 'iframe' tag's
    actions.

    +++


    So, cPanel security dudes.
    A number of my clients are getting hit by this so I'm wondering your thoughts on this rather esoteric PCI issue?

    Thanks,
    Jim
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 tvcnet, Aug 2, 2013
  2. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,640
    Likes Received:
    449
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious what this is exactly:

    Are you running cPanel in an iframe?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Infopro, Aug 3, 2013
  3. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    /controlpanel is a cPanel alias, the same as doing domain.com/cpanel

    Code:
    ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    The cPanel redirect page that is displayed when navigating to the aliases contains iframes. (you know, the "If you are behind a firewall enter here" "If you are not behind a firewall enter here" page).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 LDHosting, Aug 3, 2013
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,734
    Likes Received:
    1,992
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please open a support ticket so we can investigate and determine if it's a false positive. You can open a ticket via:

    Submit A Ticket

    Please post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelMichael, Aug 6, 2013
  5. cPanelNick

    cPanelNick Administrator Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,485
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    You could add the tags manually in the mean time to /usr/local/cpanel/etc/webtemplates/english/redirect.tmpl

    Add the following inside the <iframe tag.

    sandbox="allow-same-origin allow-scripts allow-top-navigation"
     
    #5 cPanelNick, Aug 6, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - Missing Sandbox Attribute
  1. chengkinhung

    New Thread phpmyadmin export-format-list missing SQL

    chengkinhung, Jan 20, 2019 at 1:54 AM, in forum: General Discussion
    Replies:
    0
    Views:
    8
    chengkinhung
    Jan 20, 2019 at 1:54 AM
  2. ashagl

    Editing SPF record, but advance zone editor missing

    ashagl, Jan 14, 2019 at 10:41 PM, in forum: E-mail Discussion
    Replies:
    2
    Views:
    163
    cPanelLauren
    Jan 16, 2019 at 12:26 PM
  3. herry potter

    Nameservers Missing Errors

    herry potter, Jan 10, 2019, in forum: Bind/DNS/Nameserver
    Replies:
    3
    Views:
    87
    cPanelLauren
    Jan 10, 2019
  4. vacancy

    new EA4 mod_lsapi package missing

    vacancy, Jan 10, 2019, in forum: EasyApache
    Replies:
    1
    Views:
    113
    cPanelMichael
    Jan 10, 2019
  5. Vs Nu

    MySQL features missing

    Vs Nu, Dec 28, 2018, in forum: Database Discussion
    Replies:
    1
    Views:
    214
    cPanelLauren
    Jan 2, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice