[LON-CAPA-admin] PCI Compliance

[Michael Dugdale]

Hi,

Out of curiosity, some of the items are Apache defaults that are easy to disable in https.conf
> webserver autoindex enabled
> HTTP TRACE/TRACK Methods allowed


Are these needed for the proper functioning of LON-CAPA, or can they be safely disabled?


Michael Dugdale
Co-chair
Department of Physics
John Abbott College
21,275 Lakeshore Road
Ste. Anne de Bellevue, Québec
H9X 3L9, Canada
(514) 457-6610 Ext. 5888
michael.dugdale at johnabbott.qc.ca





On 2013-01-03, at 4:27 PM, Jon Hall <jdh65 at bellsouth.net> wrote:

> My IT guy came to me and indicated that our school has failed a PCI compliance scan because of our lon-capa server.  He said we were going to have to shut it down if I could not get the items on the list taken care of.  
> 
> Any help about fixing these or advice would be greatly appreciated.  There are suggested solutions in the list my IT guy gave me, but I don't want to go making changes which might affect the lon-capa operations.
> 
> Here is a summary of the list items:
> 
> port 541 (osiris host IDS agent) open - need to close this port
> 
> webserver autoindex enabled
> 
> vulnerable Apache version 2.2.3
> 
> HTTP TRACE/TRACK Methods allowed
> 
> vulnerable web program (iFoto)
> 
> HTML page uses cleartext form-based authentication (/adm/roles)
> 
> HTML page uses cleartext form-based authentication (/adm/menu)
> 
> HTML page uses cleartext form-based authentication (/adm/login?username=&domain=)
> 
> HTML page uses cleartext form-based authentication (/adm/login)
> 
> web program allows cross-site scripting in query string (/adm/login)
> 
> web program allows cross-site scripting in query string (/adm/helpdesk)
> 
> web server allows cross-site tracing
> 
> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
> 
> 
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>