Cpanel Web Forgery Warning In Firefox 3

[maggieroofus]

I don't know if anyone else is experiencing this or not, but today I tried logging into Cpanel for the first time since installing Firefox 3 and I got this ...

 

 

I can get in if I change my security setting not to warn me about sites suspected of forgery (just allowing the url to allowed exceptions did not work). However, my husband did some research and found this from Security Lab. Although it's referring to versions before the 11.23.3 (current version of Cpanel )

 

Published: 12-05-2008

Updated: 23-05-2008

 

Product:

cPanel: cPanel 11.18

cPanel: cPanel 11.18.1

cPanel: cPanel 11.18.2

cPanel: cPanel 11.18.3

cPanel: cPanel 11.22

cPanel: cPanel 11.22.1

cPanel: cPanel 11.22.2

 

Severity: Medium (4.3)

 

CVSS vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

 

Attack`s vector: Victim must voluntarily interact with attack mechanism

 

Potential loss type: Integrity

 

Vulnerability description:

Multiple cross-site request forgery (CSRF) vulnerabilities in the WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allow remote attackers to perform unauthorized actions as cPanel administrators via requests to cpanel/whm/webmail and other unspecified vectors.

 

Patch available: No

 

In my attempt to bypass this problem I downloaded Filezilla (something I've been meaning to do anyway) but can't get logged in. It keeps timing out on me.

[TCH-Thomas]

Please submit a ticket and the techs will take a look at this. Link on top of page and in my signature.

[TCH-Bruce]

Why are you accessing cPanel using the IP address instead of your domain name? Not that it is the problem but I'm curious.

[maggieroofus]

Why are you accessing cPanel using the IP address instead of your domain name? Not that it is the problem but I'm curious.

 

 

It's the link that was provided with my account when I signed up and what I bookmarked and have always used. I've tried using my domain name and I get an error message from FF.

 

Edited July 7, 2008 by maggieroofus

[TCH-Bruce]

That message is telling you that you have a shared account. It's not an error, you either need to purchase your own certificate to eliminate the message or set and exception.

[maggieroofus]

That message is telling you that you have a shared account. It's not an error, you either need to purchase your own certificate to eliminate the message or set and exception.

 

Seeing as how it says "error code" I assumed it was an error. Also, I did set the exception (before even posting my previous reply), or at least I tried, and it still doesn't work. This is what I get ...

 

 

You know, it would be nice if someone actually explained in detail exactly what needs to be done instead of saying "you're doing it wrong" and giving a vague explanation of what it is. I am in no way computer illiterate, however this kind of stuff is not my strong point. Not all of us can be experts at this and that's why we ask questions.

Edited July 8, 2008 by maggieroofus

[TCH-Bruce]

You are using a shared certificate on your server. The certificate is a generic secure certificate. If you are running an online business you should purchase your own secure certificate. You are doing nothing wrong, that's the way it works.

 

See: What is SSL and How it works

[maggieroofus]

You are using a shared certificate on your server. The certificate is a generic secure certificate. If you are running an online business you should purchase your own secure certificate. You are doing nothing wrong, that's the way it works.

 

See: What is SSL and How it works

 

I'm not running an online business so I'm not interested in purchasing anything. I just want to be able to access my Cpanel using Firefox 3 and know that it's secure.

[TCH-Thomas]

If you want to access your cpanel the secure way, you should use https://your_tch_domain.com:2083/

 

You will still get a warning that the certificate does not belong to you but the server/TCH.

Just tell Firefox that you want to allow it (after you read the certificate warning and that you see that the certificate is for your server) and it should be fine.

[maggieroofus]

If you want to access your cpanel the secure way, you should use https://your_tch_domain.com:2083/

 

You will still get a warning that the certificate does not belong to you but the server/TCH.

Just tell Firefox that you want to allow it (after you read the certificate warning and that you see that the certificate is for your server) and it should be fine.

 

You will see in my previous replies that this method is not working for me. I'm getting the certificate error and also getting an error when I try to allow the exception. Yet no one seems to be telling me (step by step) how to correct this.

 

[edit]

 

Never mind. Just for grins I went ahead and clicked on the "confirm Security Exception" button even though I appeared to be getting another error because it says:

 

Wrong Site Certificate belongs to a different site, which could indicate identity theft.

 

And now it works. It would have been a whole lot easier if someone would have just pointed this out earlier instead of giving vague answers and talking in technical circles.

Edited July 8, 2008 by maggieroofus

[TCH-Thomas]

It would have been a whole lot easier if someone would have just pointed this out earlier instead of giving vague answers and talking in technical circles

 

Bruce did this in his 2d response in this thread:

It's not an error, you either need to purchase your own certificate to eliminate the message or set and exception.

 

which is also indicated that you did or was about to do in the screenshot in your post below Bruce´s post I referred to above.

 

Anyway, I´m glad all is working well now.

[TCH-Bruce]

Yes, that's what I was saying. Sorry I didn't tell you to just press the "Confirm Security Exception" button.

[maggieroofus]

Bruce did this in his 2d response in this thread:

 

 

which is also indicated that you did or was about to do in the screenshot in your post below Bruce´s post I referred to above.

 

Anyway, I´m glad all is working well now.

 

He told me to do what I had already tried and I replied and explained that I had done that and got that error (or what seemed like an error) and no one said that I needed to go ahead and click on the "create exception" button at the bottom.

 

Whatever ... it's working now.

[maggieroofus]

Yes, that's what I was saying. Sorry I didn't tell you to just press the "Confirm Security Exception" button.

 

Well, it's kind of confusing because when I clicked "create exception" (or whatever it says) and then I got what you see in the image that I posted where it said Wrong Site - I thought that in itself was another error. And no one was telling me any differently.

 

It's kind of misleading (on their end) to those of us who aren't used to this stuff.

[TCH-Bruce]

To be honest, I don't bother with https to access my cPanel. I just use plain old http.

 

Also, having your own certificate would not change the issue. The cPanel login uses the security certificate of the server. I was corrected so I thought I would throw that out there.

[MikeJ]

In your case, https://server105.tchmachines.com:2083/ should work with the certificate on your server.

[maggieroofus]

To be honest, I don't bother with https to access my cPanel. I just use plain old http.

 

See! This is what I'm talking about ... please explain "why" to us dense folks

[TCH-Bruce]

I do use https sometimes but not always. If I am accessing my cpanel from a place other than home I use https. I am not a security expert but my home network is secure. I suppose someone could sniff the packet containing the password to my account.

[maggieroofus]

I do use https sometimes but not always. If I am accessing my cpanel from a place other than home I use https. I am not a security expert but my home network is secure. I suppose someone could sniff the packet containing the password to my account.

 

But what's the difference?

[TCH-Bruce]

Using http everything goes through with no encryption (not secure). Using https everything is encrypted and harder to steal.

 

Good security measures suggest that you use the https to keep your login and password confidential. If someone were to steal them they would be able to hack your site.