Skip to main content

img-sys fails PCI

Comments

6 comments

  • cPanelMichael
    Hello, You can remove the following line from your Apache configuration to disable the "img-sys" alias:
    Alias /img-sys /usr/local/cpanel/img-sys/
    As far as the warning message, you can find more information on "Click Jacking" at: Clickjacking - OWASP Also, have you asked the PCI compliance company for more information about why their report considers this a problem? Thank you.
    0
  • sehh
    Hello Michael, thank you for your quick answer. If I remove the Alias line from httpd.conf, its temporary, how can I make the change permanent so that it stays when EasyApache reconfigures/recompiles Apache? I looked at the files in img-sys and they are just a bunch of logos, so hopefully I won't break something important. I know what Click Jacking is, but I don't understand why its relevant to img-sys and the logo images it contains, I haven't received a coherent answer from the PCI compliance company. I'm guessing that malicious people are using those logos to present a phishing web page as legitimate, like a fake cPanel login page.
    0
  • cPanelMichael
    If I remove the Alias line from httpd.conf, its temporary, how can I make the change permanent so that it stays when EasyApache reconfigures/recompiles Apache?

    There are a few methods you can use to preserve Apache configuration changes, as documented at: Advanced Apache Configuration - EasyApache - cPanel Documentation Thank you.
    0
  • sehh
    Unfortunately, the above documentation is not very helpful. I solved it by adding the following lines to pre_virtualhost_global.conf
    Redirect /bandwidth / Redirect /img-sys / Redirect /java-sys / Redirect /sys_cpanel /
    Redirect takes precedence over Alias, thus all access to those aliases is being redirected to the virtualhost's public_html, which of course produces 404 errors and solves the problem with the PCI authority. (note: remember to reconfigure/restart httpd) I still wonder what those directories are all about, their files seem rather irrelevant to my needs. The java-sys directory contains an SSH terminal in java (spacemusic.au? heh) the img-sys contains lots of cPanel logos and branding, the bandwidth directory redirects to a bandwidth monitor script written in perl. hmmm
    0
  • cPanelMichael
    I still wonder what those directories are all about, their files seem rather irrelevant to my needs. The java-sys directory contains an SSH terminal in java (spacemusic.au? heh) the img-sys contains lots of cPanel logos and branding, the bandwidth directory redirects to a bandwidth monitor script written in perl. hmmm

    Those directories are for the purpose of features offered by cPanel (e.g. bandmin, SSH terminal, cPanel logos/images for web templates). Thank you.
    0
  • sehh
    Thank you Michael for the clarification. Apparently the PCI compliance company thinks they are being used in phishing scams with fake cPanel logins running within iframes. They require a Content-Security-Policy to disable iframe usage. Not a big deal, really.
    0

Please sign in to leave a comment.