[LON-CAPA-admin] PCI Compliance
Gerd Kortemeyer
korte at lite.msu.edu
Thu Jan 3 16:47:33 EST 2013
Hi,
That's relatively easy to fix:
* Switch your server to https. Unfortunately, that involves either buying a certificate or living with a warning message in the browser.
* Configure "helpdesk" differently for your machine, or switch off that feature altogether in the Domain Configuration.
- Gerd.
On Jan 3, 2013, at 4:27 PM, Jon Hall <jdh65 at bellsouth.net> wrote:
> My IT guy came to me and indicated that our school has failed a PCI compliance scan because of our lon-capa server. He said we were going to have to shut it down if I could not get the items on the list taken care of.
>
> Any help about fixing these or advice would be greatly appreciated. There are suggested solutions in the list my IT guy gave me, but I don't want to go making changes which might affect the lon-capa operations.
>
> Here is a summary of the list items:
>
> port 541 (osiris host IDS agent) open - need to close this port
>
> webserver autoindex enabled
>
> vulnerable Apache version 2.2.3
>
> HTTP TRACE/TRACK Methods allowed
>
> vulnerable web program (iFoto)
>
> HTML page uses cleartext form-based authentication (/adm/roles)
>
> HTML page uses cleartext form-based authentication (/adm/menu)
>
> HTML page uses cleartext form-based authentication (/adm/login?username=&domain=)
>
> HTML page uses cleartext form-based authentication (/adm/login)
>
> web program allows cross-site scripting in query string (/adm/login)
>
> web program allows cross-site scripting in query string (/adm/helpdesk)
>
> web server allows cross-site tracing
>
> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
More information about the LON-CAPA-admin
mailing list