[LON-CAPA-admin] PCI Compliance
Gerd Kortemeyer
korte at lite.msu.edu
Thu Jan 3 20:55:01 EST 2013
Hi,
On Jan 3, 2013, at 8:42 PM, Michael Dugdale <michael.dugdale at johnabbott.qc.ca> wrote:
>
> Out of curiosity, some of the items are Apache defaults that are easy to disable in https.conf
>> webserver autoindex enabled
>> HTTP TRACE/TRACK Methods allowed
>
>
> Are these needed for the proper functioning of LON-CAPA, or can they be safely disabled?
Nope, we don't need it. It would be a good idea to disable.
>
> port 541 (osiris host IDS agent) open - need to close this port
We don't need this port, can be closed on the operation system level.
>
> webserver autoindex enabled
We don't need this, but it's actually not generally active anyway, as LON-CAPA interferes. Disable in Apache.
>
> vulnerable Apache version 2.2.3
Should be updated anyway.
>
> HTTP TRACE/TRACK Methods allowed
Can be disabled.
>
> vulnerable web program (iFoto)
Huh? No idea where this comes from.
>
> HTML page uses cleartext form-based authentication (/adm/roles)
>
> HTML page uses cleartext form-based authentication (/adm/menu)
>
> HTML page uses cleartext form-based authentication (/adm/login?username=&domain=)
>
> HTML page uses cleartext form-based authentication (/adm/login)
Can be solved by switched to HTTPS, but to avoid warnings, you need a purchased certificate. Nothing we can do about it.
>
> web program allows cross-site scripting in query string (/adm/login)
>
> web program allows cross-site scripting in query string (/adm/helpdesk)
Disable helpdesk in domain configuration.
>
> web server allows cross-site tracing
See above.
>
> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
See above.
- Gerd.
More information about the LON-CAPA-admin
mailing list