PCI Scan - /webmail fails

[vpswing]

Vulnerability Details:

Service: https
    Sent:

GET /webmail/<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0
Host: domain.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-alive

Received:
    'redirect_url': "http:\/\/webmail.domain.net\/<SCRIPT>alert('SAINT')<\/SCRIPT>"

Suggested Resolution:

Cross-site scripting can be fixed by modifying the application's code on
the server to HTML-encode user-supplied characters which have special meaning when rendered in a browser. That is, change < to <, > to >, & to &, and " to ". Some web application programming languages contain functions for this purpose, such as
htmlspecialchars() in PHP and HttpServerUtility.HtmlEncode in .NET.
Fix information for specific software products is provided below.
All other products: Retrieve an upgrade or a patch from the vendor. See the posting to
[http://www.securityfocus.com/archive/1/194464] Bugtraq for information about specific types of web servers.

If a fix is unavailable, then work around the problem by creating a customized error page.

How do I reply/dispute this ?

Thanks!

 

[cPanelLauren]

This is odd in that I can't replicate their output. I believe that Updating “Enable Content-Security-Policy on some interfaces” from “Off” to “On” in WHM>>Server Configuration>>Tweak Settings should resolve the XSS issue though.

 

[vpswing]

Thanks Lauren.
I will try that (turn "On") for the Enable Content Security Policy" and re-run the scan. Does it matter that we're still using cPanel 88.0.17 ?

 

[vpswing]

Hi Lauren,

Unfortunately, no joy - I disabled that and re-ran the scan. It still shows fail. I tried manually entering the URL into my browser, it redirects me to the server's port 2096. There is no javascript pop-up or anything of that sort - so I'm not sure what they are trying to get at.

Any other suggestions?

 

[cPanelLauren]

When I run this, it doesn't redirect me, it fails with an error page, on yours, it does take me to 2096 after hitting the proxy page to automatically redirect to the webmail.domain.tld. I'm not sure what you have configured differently and it'd be really difficult for me to compare though I don't think that being on v88 of cPanel & WHM is the issue here.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[vpswing]

Hi Lauren,

Ok, done. Ticket ID: 93808878

I've also included the httpd.conf file for reference. It has the RewriteRule & RewriteCond for webmail (as well as many others).
Maybe that is the reason? Any possibility of removing these rewrites without impacting the server? I tried to manually comment some of them out, but it ended with the server showing 500 internal error.

When I run this, it doesn't redirect me, it fails with an error page, on yours, it does take me to 2096 after hitting the proxy page to automatically redirect to the webmail.domain.tld. I'm not sure what you have configured differently and it'd be really difficult for me to compare though I don't think that being on v88 of cPanel & WHM is the issue here.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

Thanks!

 

[vpswing]

Hi Lauren,

This issue has returned in our quarterly PCI scan :-(
I can't seem to login using this forum's credentials to the support desk - would you be able to help reset the password for me?
I'm trying to view the old ticket 93808878 to see what was the solution.

Thanks!

 

[cPRex]

I'm not able to help with access to the support desk here, but if you send a message to [email protected] our Customer Service team will be able to provide some more assistance with that. You can also try the "forgot password" link in our support system to get that reset.