Skeptikal.org

Friday, December 19, 2008

cPanel Followup

I just upgraded a few servers to the latest version of cPanel, which is supposedly fully PCI compliant.

You may be wondering why, with its massively widespread use, cPanel wasn't already PCI compliant. Basically it dealt with a variety of SSL issues- the administration interface supported weak SSL ciphers and there was no way to change that through cPanel. You had to hack it together, disabling cPanel's internal SSL libraries and using other tools to implement it properly.

While I'm happy that they got around to fixing that issue (after only about 4 months), they still haven't fixed the XSS or CSRF issues that I sent to them in June and posted here back in August.

...But I'm getting awfully jaded, and I'm not expecting them to ever fix it.

Labels: ,

posted by mckt at 10:42 AM

4 Comments:

  • You know cPanel has XSRF protection that you can enable in WHM right? Click the box in 'Tweak Settings' labelled:

    "Only permit cpanel/whm/webmail to execute functions that have a referrer that matches one of the domains/ip on this server. This will help prevent XSRF attacks, but may break integration with other systems, login applications, and billing software."

    By Anonymous Anonymous, At November 30, 2009 2:06 PM  

  • I am aware of it, but only because I've spent an awful lot of time poking around cPanel. It's not enabled by default, not mentioned in the FAQ on cPanel's website, and not mentioned anywhere in the "cPanel" documentation,

    Please give me one good reason that this isn't enabled by default

    By Anonymous mckt, At November 30, 2009 2:06 PM  

Post a Comment



<< Home