The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XSRF attacks

Discussion in 'General Discussion' started by isputra, Apr 27, 2008.

  1. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    ----------------------------
    ** Only permit cpanel/whm/webmail to execute functions that have a referrer that matches one of the domains/ip on this server. This will help prevent XSRF attacks, but may break integration with other systems, login applications, and billing software.
    ----------------------------

    I found that message on WHM >> Tweak Settings >> Security

    What is this and what the effect to the server if i've enable it ?
     
  2. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    When this is enabled, cPanel will validate the referrer for each page. If the referrer matches one of the domains, the server's hostname, or any of the server's IPs, then the request is allowed through. If the referrer does not match, then the user is shown a page with the request information and given the option to proceed.
     
  3. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    XSRF attacks occur under a highly limited set of circumstances and this option will typically not need to be enabled. Some explanation:

    If you have cPanel (or almost any authenticated session) open in your browser. There's a very small chance that you could click on a link in a web page that references a URL in cPanel (or another program) that performs some malicious action (like creating an email account to spam from). However, this would mean that you would have to click on a link on a web page while you are logged into cPanel and the link would have to know your domain name or the IP address of the server your domain is on.

    So, while it's highly unlikely that someone could determine the IP address that your site exists on (as you don't surf from that IP) and then convince you to click on a random link that performs an action, this might be a concern. Because it might be a concern, we offer protection from this type of attack.
     
  4. Stephanie_R

    Stephanie_R Active Member

    Joined:
    Mar 1, 2004
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    We use 2 other servers that customers can login to their cpanel accounts from, which now produces the following warning:

    Is there somewhere we can whitelist the IP's of our login servers so customers will not freak out?
     
  5. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Stephanie,
    We currently do not have a whitelisting system for referrers. I've added a feature request for development.

    To be frank, XSRF attacks happen under such a limited set of circumstances that they take insane amounts of research, timing, and luck. Just think how unlikely it would be that a random website has a link on it to one of your cPanel servers (which is obfuscated in a way that seems like a good idea to click on) and that someone using that cPanel server not only clicks on that link but also has cPanel open in the browser at the same time.

    To effectively target someone with an XSRF attack, you'd have to know what cPanel server their site is on, what websites they frequent and have the luck/timing to catch them browsing those sites and clicking random links while they are logged into cPanel. This type of attack is so ineffective compared to placing malware on a desktop that it's unlikely that anyone would go through the effort for such a low return.
     
  6. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    Does anyone report such an attack or you just want to prevent it? Because is very hard to have a cPanel session opened and then to click on a malicious link.

    Anywat, you better use mod_security instead of creating a new tool. referrer headers can be easy spoofed so you cannot trust them.
     
  7. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    We have never had a report of such an attack occurring outside of a lab / controlled environment. I definitely see the benefit of using something like mod_Security however, since cPanel traffic is done through cpsrvd, not Apache, we cannot use mod_security to filter cpsrvd traffic. It's extremely unlikely that this type of attack could occur and while we want to provide a basic tool to mitigate attacks, we are not recommending that it be turned on unless you have explicit reason to do so.
     
  8. FeeL

    FeeL Well-Known Member

    Joined:
    Apr 17, 2004
    Messages:
    135
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Rio de janeiro
    cPanel Access Level:
    Reseller Owner
    Billing sofware

    Its said that it can cause problems with the billing software..

    WHMCS? Whoiscart? Modernbill? All of then if you have multiple servers?
     
  9. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Anyone who makes direct requests to cPanel pages for an external source. We do not examine the source code of those products on a regular basis.

    Please note that there will be no potential issues with billing software if you do not turn this protection on. It is not enabled by default.
     
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Did the new Release update offer other security fixes?

    I guess that is what I am confused about the most. The new Release that was released on April 28th (and a smaller update on April 30th) don't seem to include some of the other features that were talked about in Edge (like VPS optimized and tailwatchd). Yet there was an e-mail sent out and a blog post sent out urging everyone to upgrade. I got confused as to why the urgency to this update? If it did not include some of the new features, then I assumed this was a security related update. And the blog post only seems to mention the XSRF attacks.

    From further reading, I am concluding that there were some other security issues in prior versions of cPanel (perhaps minor, but still security issues non-the-less) and instead of waiting to push all of the features out on the Release and Stable builds, you just pushed those out as separate updates.

    Am I right in my conclusions?
     
  11. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Yes. You'll that STABLE and RELEASE are still on 11.18 while CURRENT is on 11.22. New features will be pushed to STABLE and RELEASE after they are done their testing phases. We had some potential security issues come up that we don't believe were out in the wild yet and we wanted to make sure it stayed that way.
     
  12. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    But those security issues aren't necessarily XSRF related?
     
  13. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Correct. We would not recommend all customers update to provide protection against something that is so implausible to exploit effectively.
     
  14. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Finding the IP of a server/domain is actually fairly easy.
     
  15. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Sure. That's not what's being discussed as finding the IP of a site is trivial. You don't need to know the IP of a site to log in to cPanel, you can use the domain name.

    To successfully attack me with XSRF, you have to know what website(s) I am associated with and then put a URL in your page performing an action in cPanel under a URL that affects that web site. Then, I have to come to your site and click on your link without looking at where it goes first. Oh, and I have to be logged into cPanel at that moment or the attack won't work.

    This means you need to know ahead of time that I will be browsing your web site, who I am and what my web site is. I also have to be foolish enough to click on both your web site and random links on your site without reading them.

    Knowing the IP of a web site is easy. Connecting the IP address of a random person surfing the net and the IP of a site that they manage is a lot harder.
     
    #15 DaveUsedToWorkHere, May 19, 2008
    Last edited: May 19, 2008
  16. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    I understand all that. You post gave the impression that the risk was trivial because the IP of a server is difficult to find Which isn't true.

    A random person? Yes.


    Jonathan of ConfigServer/CSF recommends having the referrer check enabled (indirectly, it's the CSF "Server Security Check"). I'm confused as to why since it seems like drastic overkill to me, so I did a search here in the forums and found very little in the way of a reason to justify it.
     
  17. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Sorry if my post gave that impression. I'm glad you posted some follow ups as I want to make sure the info is clear.

    Seems drastic to me too but if I was in the security business, I'd surely suggest more rather than less security when possible.
     
  18. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Amen.

    There are times when it's a tough call though (for me, anyway) choosing between stable and known vs new features with unknown results. I'm just a little skiddish, unless I know I have the time to invest should something go wonkie. I'm a slow adopter :)

    Thanks for the information you provided on this feature. Most of everything provided in cPanel/WHM is self-explanatory, but every so often a new feature/option comes out that isn't.

    I've learned the hard way...never click a button unless you KNOW what it's supposed to do! :)
     
Loading...
Similar Threads - XSRF attacks
  1. ApparentMedia
    Replies:
    1
    Views:
    418

Share This Page