- Plesk 12.5 for Linux
PCI scan report shows the following output:
THREAT: The cookie does not contain the "secure" attribute.
SOLUTION: If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.
RESULT: Scan Results page 23
matched: psaContext=dashboard; path=/; domain=188.8.131.52
PCI Scanners wrongly treat
as session token.
This is Plesk internal issue with id #PPPM-4811 that was fixed in Plesk Onyx.
Upgrade to the latest Plesk version .
If upgrade to Plesk Onyx is not applicable the following can be used:
As workaround you can apply the following patch (for Plesk 12.5 only) which will drop this cookie from the codebase:
Create a backups of
/usr/local/psa/admin/plib/AdminPanel/Controller/Action/Abstract.phpon the server:
# /usr/local/psa/admin/plib/Navigation.php /usr/local/psa/admin/plib/Navigation.php_back
# /usr/local/psa/admin/plib/AdminPanel/Controller/Action/Abstract.php /usr/local/psa/admin/plib/AdminPanel/Controller/Action/Abstract.php_back
# cd /root
# wget https://support.plesk.com/hc/article_attachments/115004383969/Navigation.zip
# wget https://support.plesk.com/hc/article_attachments/115004351805/Abstract.zip
Unzip patched files:
# cd /root
# unzip Navigation.zip
# unzip Abstract.zip
Replace these files with patched:
# cp Navigation.php /usr/local/psa/admin/plib/
# cp Abstract.php /usr/local/psa/admin/plib/AdminPanel/Controller/Action/
Note: the patch is applicable for 12.5 only