Inside of cPanel 11.25, there are numerous new security features being implemented. These changes can break both cPanel plugins and remote management applications (like billing systems) that integrate with cPanel. Luckily, the changes are all optional; however, I would hate to see addons preventing people from enabling new features — like session tokens, which help prevent XSRF attacks. So, stripped from an email I sent out to third-party developers earlier this week, here are some details regarding these changes.
Security tokens
The first of these changes is the inclusion of security tokens.With this optional feature of 11.25, URLs will now contain <em>cpsess</em>, which has been put in place to help mitigate XSRF attacks.
Absolute URLs will no longer be allowed; you will need to ensure that you are using relative URLs within your product. For non-browser systems that interact with cPanel/WHM and webmail using Basic HTTP authentication, these security measures may be bypassed by ensuring that no session cookies are sent with the request. To enable this setting, go to the Tweak Settings screen in WHM and locate this option:
Require security tokens for all interfaces. This will greatly improve the security of cPanel and WHM against XSRF attacks, but may break integration with other systems, login applications, billing software and third party themes.
Click Save.
Source IP check
The second change that you should be aware of is Source IP Check, which is a security question verification interface inside of cPanel.
This feature will prompt users to define questions on their first login after enabling the feature (which is set to Off by default). Then, users will be prompted to answer the security questions on future logins from new IP addresses.
To configure this, go to $ip:2087/securitypolicy_enable and check the “Limit logins to verified IP addresses” option. It is important to note that this will affect XML API requests unless the Apply security policies to XML-API requests option is disabled.
This change should mostly affect XML API users. To solve other problems, we have modified the Source IP Check feature so that we enable the last login IP when the feature is enabled and no white list is found. This should reduce user annoyance a bit, and it prevents every frame from showing the security questions screen.
Blank referer checks
There are also some changes to the way cPanel handles blank referer checks, which make them more accurate. Basically, if a page is sent with a blank referer inside of an existing session, it will trigger an XSRF prevention page. Yet again, this is not affected inside of sessions that do not use cookies and are authenticated via either HTTP auth or WHM auth.
Testing and support
In order to test your software with these new features, you will need to update your software to the latest beta by editing /etc/cpudpate.conf and changing the CPANEL= line to read CPANEL=beta. These changes should also be available within the EDGE tree by 8/10/09.
