PCI Scan - /webmail fails

vpswing

Active Member
Jun 4, 2014
32
4
58
cPanel Access Level
Root Administrator
Vulnerability Details:
Code:
Service: https
    Sent:

GET /webmail/<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0
Host: domain.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-alive

Received:
    'redirect_url': "http:\/\/webmail.domain.net\/<SCRIPT>alert('SAINT')<\/SCRIPT>"

Suggested Resolution:
Code:
Cross-site scripting can be fixed by modifying the application's code on
the server to HTML-encode user-supplied characters which have special meaning when rendered in a browser. That is, change &lt; to &amp;lt;, &gt; to &amp;gt;, &amp; to &amp;amp;, and &quot; to &amp;quot;. Some web application programming languages contain functions for this purpose, such as
htmlspecialchars() in PHP and HttpServerUtility.HtmlEncode in .NET.
Fix information for specific software products is provided below.
All other products: Retrieve an upgrade or a patch from the vendor. See the posting to
[http://www.securityfocus.com/archive/1/194464] Bugtraq for information about specific types of web servers.

If a fix is unavailable, then work around the problem by creating a customized error page.
How do I reply/dispute this ?

Thanks!
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,259
313
Houston
This is odd in that I can't replicate their output. I believe that Updating “Enable Content-Security-Policy on some interfaces” from “Off” to “On” in WHM>>Server Configuration>>Tweak Settings should resolve the XSS issue though.
 

vpswing

Active Member
Jun 4, 2014
32
4
58
cPanel Access Level
Root Administrator
Thanks Lauren.
I will try that (turn "On") for the Enable Content Security Policy" and re-run the scan. Does it matter that we're still using cPanel 88.0.17 ?
 

vpswing

Active Member
Jun 4, 2014
32
4
58
cPanel Access Level
Root Administrator
Hi Lauren,

Unfortunately, no joy - I disabled that and re-ran the scan. It still shows fail. I tried manually entering the URL into my browser, it redirects me to the server's port 2096. There is no javascript pop-up or anything of that sort - so I'm not sure what they are trying to get at.

Any other suggestions?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,259
313
Houston
When I run this, it doesn't redirect me, it fails with an error page, on yours, it does take me to 2096 after hitting the proxy page to automatically redirect to the webmail.domain.tld. I'm not sure what you have configured differently and it'd be really difficult for me to compare though I don't think that being on v88 of cPanel & WHM is the issue here.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

vpswing

Active Member
Jun 4, 2014
32
4
58
cPanel Access Level
Root Administrator
Hi Lauren,

Ok, done. Ticket ID: 93808878

I've also included the httpd.conf file for reference. It has the RewriteRule & RewriteCond for webmail (as well as many others).
Maybe that is the reason? Any possibility of removing these rewrites without impacting the server? I tried to manually comment some of them out, but it ended with the server showing 500 internal error.

When I run this, it doesn't redirect me, it fails with an error page, on yours, it does take me to 2096 after hitting the proxy page to automatically redirect to the webmail.domain.tld. I'm not sure what you have configured differently and it'd be really difficult for me to compare though I don't think that being on v88 of cPanel & WHM is the issue here.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
Thanks!