cPanel Security Update: CSRF (cross-site request forgery)

cPanel is a well known web hosting control panel utilized by major hosting providers around the world. In response to a recent security articled, cPanel, Inc. is issuing a response to customers, service providers, end users, and 3rd party developers that utilize the software.

A CSRF (cross-site request forgery) attack occurs when an unauthorized command
is propagated from a user’s browser to another target session without the user’s knowledge. For users of cPanel products, this can occur while logged into the control panel and an outside website causes you to execute specific commands that modify settings within your control panel. You must be logged into your control panel interface and the creator of the attack must know specific information regarding your control panel environment in order to successfully complete the CSRF attack.

cPanel Developers and System Administrators are recommending a number  of steps to help reduce risk associated with this type of attack.

  •  Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
  • Avoid opening SPAM, Websites, or clicking on links that you do not
    trust especially URL shortening services found on many social media
  • Update your current passwords within cPanel on a regular basis and
    maintain strong password discipline.

Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified. Enabling the new security feature will be an optional configuration and will require the testing of remote applications and integration methods used in conjunction with cPanel software. cPanel has been directly working with software vendors, and application vendors to educate them on the upcoming changes with 11.25.

cPanel is committed to providing ongoing communications with customers and end users of software features, security, and ongoing support issues. When security reports are provided through proper channels, a public response will be provided to help reduce the overall risk of specific events. cPanel will provide updates to the affected parties through the proper channels.

Customers that wish to discuss this in depth and understand the upcoming implementation are encouraged to open tickets or communicate directly with their points of contact to cPanel.