PCI scan flags cPanel services: "Insufficient Session Expiration found"
A recent PCI server scan flagged the following on multiple ports on cPanel (2096, 2087, etc.): "Insufficient Session Expiration found"
Threat Insufficient Session Expiration
Impact
Session hijacking and some other session-based attacks can require an active session ID to exploit. For this reason, sessions are given an expiration so that they are no longer valid after the user is done with the session. By limiting the window in which a session ID is valid, the exploitability of the session ID is also reduced. General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have guidelines related to the use of cookies, including session cookies, although they do not specifically mandate a maximum expiration time for session cookies. In general, the guidelines suggest that cookies should not be stored for longer than necessary for the purpose for which they were collected.
Solution
It is recommended to use a framework that properly manages sessions and session expiration. The amount of time for a session to expire will depend on the application. When a session expires, the web application must take active actions to invalidate the session on both sides, client and server.
Request: POST https://xxxxxxxx.com:2096/login/ HTTP/1.1
Origin: https://xxxxxxxx.com:2096
Cookie: roundcube_cookies=enabled; timezone=Etc/UTC; webmailsession=%3a1f8EsGB98isPKr_X%2c35851ce2ae4de86a97226c1c00d0f72e
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Referer: https://xxxxxxxx.com:2096/
Content-Length: 26
Content-Type: application/x-www-form-urlencoded
user=CHSuser&pass=Passwor1
location: https://xxxxxxxx.com:2096/login/
Is this because a cookie is created without an expiration time?
Is there some other expiration time I should have configured in WHM/cPanel that I am missing?
Thanks for any assistance you can provide!
-
I'm going to post the same reply I got from the team to this one as well - since the cookies are cleared, this isn't an issue:
Both the cPanel and WHM interfaces will pass non-secure cookies along with secure ones and this can sometimes cause a PCI scan to fail.
This behavior is intentional. When the user logs out we clear *both* the secure and non-secure versions to avoid a redirect loop. cpsrvd, the process that runs the cPanel and WHM services, won't actually set the insecure ones by default on the secure ports you have mentioned.
PCI Audits may be mistaken in identifying these cookies as a security concern. Their purpose is to invalidate the previously used cookies, after a failed authorization attempt. On successful authentication, a secure cookie will be used.
0 -
Ok, thanks! I'll pass this along as a false positive and see what happens.
0 -
Since the ASV seems to want a specific Yes/No answer as to whether the insecure cookies (from my other question) are used to start or maintain an authenticated session, before I post a response to them for this question about no expiration infomration in the cookies, I must now ask: If the session is authenticated successfully, do the webmailsession cookies then contain expiration information?
My guess here is they want to see the cookies contain expiration information, regardless of their secure nature as reported in the other cookie issue they flagged.0 -
I don't believe there is any specific expiration information on those.
0 -
Ok, thanks.
0 -
Update: For the port 2096 login URL, the ASV is now asking:
"Can your organization confirm adherence to PCI DSS Requirement 8.2.8, which states " If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session"? Or can your organization confirm that this user session is not an authenticated session, or that compensating controls such as automated screen savings acting within 15 minutes meet the intent of requirement 8.2.8? Yes or No is sufficient."
Do you know if the webmail login can meet either of these requirements?0 -
We don't have any timeouts on the session as long as it's active but, the second part - "can you confirm this user session is not an authenticated session" - that's the one!
0 -
I don't understand part 2: Aren't all these cPanel logins authenticated sessions?
0 -
No, they are not.
0 -
Can you help me understand what an "authenticated session" is and why this cPanel login is not one? I apologize for my ignorance in this area, but I want to understand what I'm going to explain to the ASV. :)
0 -
I don't have another way to explain it other than what has already been posted. You should just be able to send them the larger blurb from the other post.
0
Please sign in to leave a comment.
Comments
11 comments