cpsrvd cookie httponly false
PCI scan reveals WHM is sending a "timezone" cookie with HTTPOnly set false. I verified this with web browser debug console. "Require SSL for cPanel Services" is enabled. I don't see anything specific to HTTPOnly and cpsrvd cookies. I tried clearing cookies and this cookie is always recreated. WHM and server are fully updated.
-
I changed the WHM/Cpanel UI login theme from "cpanel" to "cpanel legacy". This appears to have stopped creation of the "timezone" cookie. I suppose this means the cookie is created by the theme's javascript. I'm not sure what value this cookie is to the user, but PCI scanners don't like it.
0 -
Hey there! Can you let me know the specific failure or complaint the PCI scan shows about this specific cookie? Once I know that I'll likely be able to get you more details.
0 -
Insecure configuration of Cookie attributesDetectionDetails: Cookie Vulnerabilities Found
timezone = etc/utc
Path = /
Host = x.x.x.x
Cookie does not have an HTTPOnly Attribute
Cookie Change Observed on CLIENTsideIt is important to set Secure and HTTPOnly flags for all the cookies on the application. The Secure flag prevents cookies from being transmitted over clear text. An HTTPOnly flag would limit cookie access in cases of Cross-Site Scripting issues.
Proper Caching headers should be set for responses carrying the cookie.
Cookies set on the client side should also contain Secure and HTTPOnly tags.Ensure that any web applications running on this host is configured following industry security best practices.
0 -
Thanks for the additional details. It looks like this is addressed in the top yellow banner at https://docs.cpanel.net/knowledge-base/security/how-to-troubleshoot-pci-compliance-scans/ as a common false-positive, and that seems like what is happening on your machine in this case. Can you relay that information to the PCI scanning company?
0
Please sign in to leave a comment.
Comments
4 comments