My main website requires quarterly PCI scans of which flag up the obvious to the not so obvious tedious why do i need to sort this out problems.
I've been working my way through the scan reports whilst configuring the server with many issues easy to resolve.
I do have questions on a few things though so would appreciate some discussion on how to tackle them in the best way.
1. PHPMyadmin is a PCI fail CGI Generic Cross-Site Scripting Vulnerability (extended test). What would be the best manner to resolve access to this? I could see that it is a default install so have disabled root login. Therefore as anyone can access 8090/phpmyadmin/index.php wouldnt a session/cookie check for a logged in user be appropriate? If none exists redirect away back to the cyberpanel login screen.
The recommendation for PCI compliance is to restrict access to the script.
2. Similar thing but involving the main Cyberpanel login. My hostname is set and SSL in place however, you can still get to the page by IP address which makes the SSL certificate invalid and is therefore a PCI fail. My thoughts on this would be to put in a check for the IP being used and redirect to the hostname. Any other suggestions?
Other than those two nearly all of the PCI failures were due to the lack of SSL settings being made in Postfix and Dovecot although there is Jquery fails on both the Cyberpanel login (using jquery 1.1.1) and the Openlitespeed WebAdmin panel (using jquery 2.1.1) which is simple to resolve.