Skip to main content

CPANEL-42515 - PCI Scan complaint about Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl

BowFarmer
Yesterday"s PCI Scan by Sysnet indicated a Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl. The details of the scan noted that the cookies for roundcube_sessid, roundcube_sessauth, Horde, horde_secret_key, PPA_ID, and imp_key, all consisted of common characters among subsequent cookies. Actually the values of all the cookies was "expired". So even though one could not predict a subsequent session ID, since the values were all the same, the PCI Scan software flagged the values as being predictable sessions IDs. I raised this as a false positive, and Sysnet accepted my explanation and passed my PCI Scan. But I have RoundCube and Horde disabled. I don't provide any mail services on my server. So why when I go to port 2087 to access WHM, are these cookies even being sent? When I log in, the only cookie that is actually set is whostmgrsession, and that value is a long string and clearly not anything predictable. Why is WHM wanting to set all these expired cookies (roundcube_sessid, roundcube_sessauth, Horde, horde_secret_key, PPA_ID, and imp_key)? Is there a way to turn this behavior off? Safari and Chrome don't even show these cookies because they are all expired. Firefox lists them in the console log with Cookie "x" has been rejected because it is already expired, for each of those cookies.

Comments

12 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! It's a bit late here, and the dev team I want to poke about this is already out, so I'll see if I can get more details for you tomorrow!
    0
  • cPRex Jurassic Moderator
    I found a case that our developers opened just last Friday about this issue due to all the Horde changes happening recently. That case number is CPANEL-42515, but I don't have a resolution just yet. I did also add a comment about the Roundcube headers to that as well, and I'll share any details I hear with the team here!
    0
  • BowFarmer
    Thank you.
    0
  • BowFarmer
    I'm seeing the same expired Set-Cookie requests being made when I bring up the cpanel login screen on port 2083: * Added cookie roundcube_sessid="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: roundcube_sessid=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure * Added cookie roundcube_sessauth="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: roundcube_sessauth=expired; HttpOnly; domain=xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure * Added cookie Horde="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: Horde=expired; HttpOnly; domain=.xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure * Added cookie horde_secret_key="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: horde_secret_key=expired; HttpOnly; domain=.xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure * Added cookie Horde="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure * Added cookie Horde="expired" for domain xyz.com, path /horde, expire 1 < Set-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/horde; port=2083; secure * Added cookie PPA_ID="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: PPA_ID=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure * Added cookie imp_key="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: imp_key=expired; HttpOnly; domain=xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure * Added cookie Horde="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: Horde=expired; HttpOnly; domain=.xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083 * Added cookie horde_secret_key="expired" for domain xyz.com, path /, expire 1 < Set-Cookie: horde_secret_key=expired; HttpOnly; domain=.xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083 Since the cookies are all expired, they get tossed by browsers. I am running cPanel 106.0 (build 18). Apache 2.4.55. PHP Version 8.1.16. MySQL Version 8.0.32. OS linux. Kernel Version 3.10.0-1160.81.1.el7.x86_64.
    0
  • cPRex Jurassic Moderator
    Yes, this would also affect port 2083 as well.
    0
  • cPRex Jurassic Moderator
    Update - I can confirm this is fixed in version 114. I'm not sure if this is receiving a backport to 110/112 just yet, but once I hear about that I'll be sure to post!
    0
  • havenswift
    Update - I can confirm this is fixed in version 114. I'm not sure if this is receiving a backport to 110/112 just yet, but once I hear about that I'll be sure to post!

    Any news on this please as we have clients failing their PCI due to this - a back port to 110 would be great
    0
  • cPRex Jurassic Moderator
    @havenswift - let me see if I can find out more about the plans!
    0
  • cPRex Jurassic Moderator
    I spoke with the team and they have now added backport requests for both 110 and 112!
    0
  • havenswift
    I spoke with the team and they have now added backport requests for both 110 and 112!

    That is great - thanks ! Would it be possible to reply on here when that was been done ?
    0
  • cPRex Jurassic Moderator
    I absolutely will!
    0
  • cPRex Jurassic Moderator
    Update - this is resolved in 110.0.9.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post