cPanel Security Advisory: CVE 2008-2043
Summary
cPanel 11.25.0 provides mechanisms to prevent Cross Site Request Forgery attacks.
Security Rating
This update has been rated as having an Important security rating by the cPanel Security team.
Description
All versions of cPanel prior to version 11.25.0 are vulnerable to cross site request forgery attacks. Cross-site request forgery, often abbreviated as CSRF or XSRF, exploits the trust a website has in a user's browser. By exploiting that trust a malicious user can execute unauthorized commands on a website.
Solution
cPanel 11 users should upgrade to version 11.25.0 which contain mechanisms to prevent these types of attacks. To insure full protection, the following options in Tweak Settings are strongly recommended to be enabled:
- Require security tokens for all interfaces. This will greatly improve the security of cPanel and WHM against XSRF attacks, but may break integration with other systems, login applications, billing software and third party themes.
- Validate the IP addresses used in all cookie based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled.
- Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials.
In addition it is recommended the following Tweak Settings be disabled:
- Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)
- Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)
Related posts:
- cPanel Security Advisory: CVE 2009-2275
- cPanel Security Update: CSRF (cross-site request forgery)
- cPanel/WHM 11.25 EDGE Now Available
- cPanel Update Recommended
- cPanel Security Update: Linux Kernel Vulnerability
Print This Post
Enjoy this article?
Live Help
Coupons
Social Badge
Subscribe
Links
Recent Comments
- Katherine Campbell on 301 Redirect – The SEO way to rename or move files or folders
- Rusty on Center Multiple DIVs with CSS
- Zachary Graham on Release Notification: 11.25.0 DNSONLY
- Trinity James on 301 Redirect – The SEO way to rename or move files or folders
- Isabelle Gonzales on 301 Redirect – The SEO way to rename or move files or folders
Recent Posts
- Center Multiple DIVs with CSS
- Better Page Corner Ads with CSS3 Transforms
- A Do-It-Yourself Search Engine Optimization Technique That Will Work Miracles For You?
- 10 Ways To Increase Your Blog’s Pageviews
- 3 Most Important Services For A Profitable Internet Home Business
Categories
- Blogging (19)
- News (55)
- Random Articles (12)
- SEO Tips (34)
- Site Promotion (19)
- Traffic Generation (18)
- Tutorials (66)
- css (22)
- flash (8)
- html (8)
- illustrator (7)
- JavaScript (6)
- photoshop (7)
- php (8)
- Website building (20)
Tag Cloud
Tikier Hosting Offer
May 5th, 2010 - 07:02
It is also easy to backup and transfer all your websites from one server to another server if you have cPanel installed’”‘