[LON-CAPA-admin] PCI Compliance

Gerd Kortemeyer korte at lite.msu.edu
Thu Jan 3 16:47:33 EST 2013


Hi,

That's relatively easy to fix:

* Switch your server to https. Unfortunately, that involves either buying a certificate or living with a warning message in the browser.

* Configure "helpdesk" differently for your machine, or switch off that feature altogether in the Domain Configuration.

- Gerd.
 
On Jan 3, 2013, at 4:27 PM, Jon Hall <jdh65 at bellsouth.net> wrote:

> My IT guy came to me and indicated that our school has failed a PCI compliance scan because of our lon-capa server.  He said we were going to have to shut it down if I could not get the items on the list taken care of.  
> 
> Any help about fixing these or advice would be greatly appreciated.  There are suggested solutions in the list my IT guy gave me, but I don't want to go making changes which might affect the lon-capa operations.
> 
> Here is a summary of the list items:
> 
> port 541 (osiris host IDS agent) open - need to close this port
> 
> webserver autoindex enabled
> 
> vulnerable Apache version 2.2.3
> 
> HTTP TRACE/TRACK Methods allowed
> 
> vulnerable web program (iFoto)
> 
> HTML page uses cleartext form-based authentication (/adm/roles)
> 
> HTML page uses cleartext form-based authentication (/adm/menu)
> 
> HTML page uses cleartext form-based authentication (/adm/login?username=&domain=)
> 
> HTML page uses cleartext form-based authentication (/adm/login)
> 
> web program allows cross-site scripting in query string (/adm/login)
> 
> web program allows cross-site scripting in query string (/adm/helpdesk)
> 
> web server allows cross-site tracing
> 
> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
> 
> 
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin




More information about the LON-CAPA-admin mailing list