img-sys fails PCI
Hello everyone,
While our servers have been passing PCI certification without problem, the latest one failed to pass because the server accepts connections to /img-sys/
The error is:
Vulnerability: Undefined CVE, Click Jacking
instance: /img-sys/
level: medium
score: 4.3
status: FAIL
Notes:
Running HTTP service
HTTP response code was an expected 200
HTTP header 'Content-Type' present
HTTP header 'Content-Security-Policy' not present
HTTP header 'X-Frame-Options' not present
Anyone seen this before? Why does the scanner think that there is a Click Jacking vulnerability in /img-sys/ ?
Could it be because someone can remotely use cPanel's images within an i-frame? I've added an .htaccess to img-sys to disable iframe via content security policy.
Any ideas would be appreciated.
Thank you.
-
Hello, You can remove the following line from your Apache configuration to disable the "img-sys" alias: Alias /img-sys /usr/local/cpanel/img-sys/
As far as the warning message, you can find more information on "Click Jacking" at: Clickjacking - OWASP Also, have you asked the PCI compliance company for more information about why their report considers this a problem? Thank you.0 -
Hello Michael, thank you for your quick answer. If I remove the Alias line from httpd.conf, its temporary, how can I make the change permanent so that it stays when EasyApache reconfigures/recompiles Apache? I looked at the files in img-sys and they are just a bunch of logos, so hopefully I won't break something important. I know what Click Jacking is, but I don't understand why its relevant to img-sys and the logo images it contains, I haven't received a coherent answer from the PCI compliance company. I'm guessing that malicious people are using those logos to present a phishing web page as legitimate, like a fake cPanel login page. 0 -
If I remove the Alias line from httpd.conf, its temporary, how can I make the change permanent so that it stays when EasyApache reconfigures/recompiles Apache?
There are a few methods you can use to preserve Apache configuration changes, as documented at: Advanced Apache Configuration - EasyApache - cPanel Documentation Thank you.0 -
Unfortunately, the above documentation is not very helpful. I solved it by adding the following lines to pre_virtualhost_global.conf Redirect /bandwidth / Redirect /img-sys / Redirect /java-sys / Redirect /sys_cpanel /
Redirect takes precedence over Alias, thus all access to those aliases is being redirected to the virtualhost's public_html, which of course produces 404 errors and solves the problem with the PCI authority. (note: remember to reconfigure/restart httpd) I still wonder what those directories are all about, their files seem rather irrelevant to my needs. The java-sys directory contains an SSH terminal in java (spacemusic.au? heh) the img-sys contains lots of cPanel logos and branding, the bandwidth directory redirects to a bandwidth monitor script written in perl. hmmm0 -
I still wonder what those directories are all about, their files seem rather irrelevant to my needs. The java-sys directory contains an SSH terminal in java (spacemusic.au? heh) the img-sys contains lots of cPanel logos and branding, the bandwidth directory redirects to a bandwidth monitor script written in perl. hmmm
Those directories are for the purpose of features offered by cPanel (e.g. bandmin, SSH terminal, cPanel logos/images for web templates). Thank you.0 -
Thank you Michael for the clarification. Apparently the PCI compliance company thinks they are being used in phishing scams with fake cPanel logins running within iframes. They require a Content-Security-Policy to disable iframe usage. Not a big deal, really. 0
Please sign in to leave a comment.
Comments
6 comments