[LON-CAPA-admin] PCI Compliance
Jon Hall
jdh65 at bellsouth.net
Thu Jan 3 16:27:12 EST 2013
My IT guy came to me and indicated that our school has failed a PCI compliance scan because of our lon-capa server. He said we were going to have to shut it down if I could not get the items on the list taken care of.
Any help about fixing these or advice would be greatly appreciated. There are suggested solutions in the list my IT guy gave me, but I don't want to go making changes which might affect the lon-capa operations.
Here is a summary of the list items:
port 541 (osiris host IDS agent) open - need to close this port
webserver autoindex enabled
vulnerable Apache version 2.2.3
HTTP TRACE/TRACK Methods allowed
vulnerable web program (iFoto)
HTML page uses cleartext form-based authentication (/adm/roles)
HTML page uses cleartext form-based authentication (/adm/menu)
HTML page uses cleartext form-based authentication (/adm/login?username=&domain=)
HTML page uses cleartext form-based authentication (/adm/login)
web program allows cross-site scripting in query string (/adm/login)
web program allows cross-site scripting in query string (/adm/helpdesk)
web server allows cross-site tracing
cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
More information about the LON-CAPA-admin
mailing list