Business Security Information

Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

When you are logged into cPanel and go to a malicious website or a website under the attacker’s control, the attacker can reset your password, install software, modify settings, and other similar things that you don’t want done to your website.  While there are a number of security improvements that can be made, some of them you do not have control of if you are using shared hosting.  Since most small businesses start out using shared hosting because it is easier having the web hosting company perform the server administration, I will focus on what most website owners can do without having to administer or configure their own server.

Improving cPanel Security Against CSRF Attacks

As stated before, there are things that your web hosting company can do through the Webhost Manager (WHM) portion of cPanel, but here are things you can do to improve cPanel security:

1. Make sure you are using cPanel version 11.25.0.  At the time of this writing, this is the newest version of cPanel which has preventative measures built into it to reduce these type of attacks. Under cPanel, you should be able to view current versions of the software running on the server.  If you do not have the 11.25.0 or higher version of cPanel, contact your hosting company and request that they upgrade to the newer version.  Since this is not a foolproof measure I would also look at implementing the following additional items.
2. Do not remain logged in when browsing other websites.  This can be a real challenge when you are viewing log files such as your most recent visitors.  It is tempting to click on a referring website link to see more about the website, but it may link to a malicious website.  Don’t click on links to other sites while logged into cPanel.  Also, to be extra cautious, I would clear private data such as cookies after logging out of cPanel and before browsing other websites.  In Firefox, you can do this manually from the tools menu, or you can set it up to perform this automatically when you close the Firefox browser.
3. Change your password for cPanel.  You should do this on a regular basis and also make sure you choose a strong password each time.  This is not so much specific to CSRF attacks but just good practice for any sensitive account you have.  To go along with this, make sure you are logging into cPanel using an SSL connection.  This helps reduce the risk of someone sniffing or capturing network traffic and gathering logins and passwords that are not encrypted.  Most web hosting companies have capabilities to allow users to log in via an SSL connection even if the user does not have their own SSL certificate set up on their own website.
4. Use Web Browser Extensions.  If you are using the Firefox web browser, it has been suggested by other security researchers that you use the NoScript extension that will help reduce a number of types of web-based attacks.  Also, it has been suggested by some that the use of Request Policy Firefox extension would block most of the current CSRF attacks.

I have not tested either of the Firefox extensions I mentioned in this article, but I have heard good things about the NoScript Firefox extension regarding web-browsing security in the past.  Make sure you always log out of your cPanel account and clear the private data cache before browsing other websites.

Are there other solutions you have used or run into regarding this issue?  Please leave a comment  and share your experience with the other readers of this article.

Related posts:

1. Obfuscated What?
2. Choosing a Secure Web Browser
3. TabNapping: A New Type of Phishing Attack