The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SecurityMetrics issue with webmail login page

Discussion in 'Security' started by Wheeler, Dec 15, 2010.

  1. Wheeler

    Wheeler Member

    Joined:
    Jan 5, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    A client of mine is having problems getting SecurityMetrics to pass their PCI DSS scan because of an alleged issue with the webmail login page.

    The issue was initially detected as an insecure version of HP Openview running on the server due to the url http://www.domain.name:2095/OvCgi/connectedNodes.ovpl?node=a\x7cw returning a response.

    After a few emails back and fourth SecurityMetrics recognised that HP Openview was not installed, but said that the issue was that the webmail login form was including the request url in a hidden 'goto_url' field in the login form, which 'may not be' sanatised.

    Below is their email regarding the issue - any help on this would be appreciated. Is this really a problem or just another false positive from SecurityMetrics? These guys and indeed the whole PCI DSS compliance system are causing me and many of my clients a massive headache. Is it just me?!


    ----

    Mr X,

    The issues isn't necessarily with HP Openview, it is that the way the server is responding is commonly an HP error, but in their case it's a problem with WebMail. I looked into this with my supervisor and we found the following:

    <body>
    <div id="wrap">
    <div id="top-mail"></div>
    <div id="mid">
    <div id="content-wrap" align="center">
    <form action="/login/" method="post" >
    <input type="hidden" name="login_theme" value="cpanel" />
    <table width="200" class="login" cellpadding="0" cellspacing="0">
    <tr>
    <td align="left"><b>Login</b></td>
    <td>&nbsp;</td>
    </tr>
    <tr>
    <td class="login_lines">Email:</td>
    <td class="login_lines"><input type="text" tabindex="1" id="user" name="user" size="16" /></td>
    </tr>
    <tr class="row2">
    <td class="login_lines">Password:</td>
    <td class="login_lines"><input type="password" tabindex="2" id="pass" name="pass" size="16" /></td>
    </tr>
    <tr>
    <td colspan="2" style="text-align: center"><input type="submit" tabindex="3" id="login" value="Login" class="input-button" /></td>
    </tr>
    </table>
    <input type="hidden" name="goto_uri" value="/OvCgi/connectedNodes.ovpl?node=a\x7cw" />
    </form>

    That last input type line includes a hidden form that has the value of "/OvCgi/connectedNodes.ovpl" which was probably from our original GET request, as shown here:
    Code:
    $ telnet http://www.domain.tld 2095
    Trying 123.123.x.x...
    Connected to http://www.domain.tld.
    Escape character is '^]'.
    GET /OvCgi/connectedNodes.ovpl?node=a\x7cw HTTP/1.0
    Host: http://www.domain.tld:2095
    User-Agent: Mozilla/4.0
    Connection: Keep-alive
    
    Their page may not be sanitizing the user-supplied input, which would cause this to flag. I would see if there is an update from cPanel that may fix issue.

    ---
     
  2. Wheeler

    Wheeler Member

    Joined:
    Jan 5, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Any ideas on this one? The client can't pass the SecurityMetrics scan until it is resolved... and SM keep saying to talk to cPanel as it's a bug in cPanel...
     
  3. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Solution? Don't use Security Metrics. They're a major PITA when dealing with things.
    Unfortunately, you're going to probably have the same problem with any provider, though scanalert (Mcaffee) will at least listen to what you have to say and in cases like this remove the problematic alert from you. SecurityMetrics won't.

    Every PCI provider is different in how they test, and grade things, which is why, at this point in time PCI compliance is nothing but a joke.
     
  4. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Do you have the CVE number?
     
  5. Wheeler

    Wheeler Member

    Joined:
    Jan 5, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    The CVE number from the scan results is 2005-2773 - which relates to HP OpenView. I've asked if there is a separate CVE number for the issue relating to the webmail login, which is what they say is causing the HP OpenView (CVE-2005-2773) issue to flag, and will post it here once they respond.

    Thanks for the help so far :)
     
  6. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    According to the CVE, the actual problem with the hp openview is that part of the url is used as parameters for a system() call. This is not the case with webmail. Cpanel uses this parameter to redirect to that page after you login. Beyond maybe getting redirected to a not found page, I don't really think it would be a big deal. It defiantly does not use the parameters for some hidden system call. I've generally been able to just tell some scanning companies it is a false positive since we are not using hp openview and it gets accepted.
     
Loading...

Share This Page