Cross-site request forgeries (XSRF) occur when a malicious user exploits the trust between a website and a user's browser. By exploiting that trust, malicious users can execute unauthorized commands on a website.
XSRF attacks rely on 2 items:
For more information about XSRF attacks, as well as a few examples, you can visit this Wikipedia page.
We recommend using a cookied authentication method for cPanel & WHM logins. HTTP authentication will not log out of an authenticated session unless the web browser application session is terminated. If HTTP authentication is used, the login credentials are cached by the browser until the application is terminated. Some browsers allow a method to flush credentials, but this method is not reliable or available in all browsers. When login credentials are cached by a web browser, they are susceptible to cross-site request forgery (XSRF) attacks.
Due to the inherit weaknesses of HTTP authentication, we recommend disabling it from within WHM.
For more information, please visit our documentation here.
Malicious users can steal cookies used in XSRF attacks. Most browsers do not provide any protection to mitigate this attack. This is why we provide an option that allows you to validate the originating IP address as part of the the cookie during authentication. On subsequent authentication requests, IP addresses are compared to original values in their cookies. A mismatched value causes an error and will result in a request for re-authentication.
When using validated cookies, it is important to remember to disable proxy access. Accessing interfaces via a proxy domain will cause the IP address for the local host to be recorded (usually 127.0.0.1), rendering IP validation useless.
To disable proxy subdomains:
Requiring your users to log in via SSL or TLS is a basic way of improving your system's security. If users do not use SSL/TLS (instead, using an unsecured connection over ports 2082, 2086, or 2095) then authentication credentials are sent in plain text, making them easy to steal, read, and use again later. As of cPanel 11.25, you can disable logins over ports 2082, 2086, and 2095, forcing your users to use secure (SSL/TLS) connections. Once you have enabled this option in WHM's Tweak Settings interface, users who attempt to use ports 2082, 2086, and 2095 will encounter a page redirecting him or her to the proper (protected) port.
In addition to the methods listed above, cPanel has also included tokens to help combat XSRF attacks. Tokens are inserted into the URL and are unique to a single login session. Requests made without the appropriate token produce an error and result in a request for re-authentication. This action effectively thwarts XSRF attacks because the attacking URL will not contain the appropriate token.
Warning: Security tokens may cause problems with custom scripts and some third-party applications that integrate with cPanel & WHM. We recommend that you verify that third-party applications are compatible with security tokens before enabling them. If you must use applications that are not compatible with security tokens, we strongly recommend using URL referrer checks instead.
We strongly recommend using security tokens instead of referrer checks. Referrer checks are only dependable when the blank referrer check is enabled and enabling this will result in an unacceptable number of false positives. However, referrer checks can be used in place of security tokens if you must use third-party applications that are not compatible with security tokens. The HTTP referrer (commonly spelled 'referer') identifies the URL of the page from which a user originated.
If it is not possible to use security tokens on your server, we strongly recommend enabling the following 2 options in your Tweak Settings interface:
Weak passwords provide little protection against brute force attacks. Brute force attacks occur whenever a malicious user attempts, by trial and error, to guess the password for a specific account. This process is most often automated, running off of a preexisting dictionary. WHM provides an interface that allows you to specify the minimum password strength your cPanel users are permitted to use. We strongly recommend a value of 50 or higher.
The minimum password strength requirement only applies to passwords created and modified by the cPanel product. The feature does not configure PAM to enforce the requirements. Thus, a user with shell access may be able to change his password to a weaker one using the passwd command.