[LON-CAPA-admin] PCI Compliance

Gerd Kortemeyer korte at lite.msu.edu
Thu Jan 3 20:55:01 EST 2013


Hi,

On Jan 3, 2013, at 8:42 PM, Michael Dugdale <michael.dugdale at johnabbott.qc.ca> wrote:
> 
> Out of curiosity, some of the items are Apache defaults that are easy to disable in https.conf
>> webserver autoindex enabled
>> HTTP TRACE/TRACK Methods allowed
> 
> 
> Are these needed for the proper functioning of LON-CAPA, or can they be safely disabled?

Nope, we don't need it. It would be a good idea to disable.

> 
> port 541 (osiris host IDS agent) open - need to close this port

We don't need this port, can be closed on the operation system level.


> 
> webserver autoindex enabled

We don't need this, but it's actually not generally active anyway, as LON-CAPA interferes. Disable in Apache.

> 
> vulnerable Apache version 2.2.3

Should be updated anyway.


> 
> HTTP TRACE/TRACK Methods allowed

Can be disabled.

> 
> vulnerable web program (iFoto)


Huh? No idea where this comes from.

> 
> HTML page uses cleartext form-based authentication (/adm/roles)
> 
> HTML page uses cleartext form-based authentication (/adm/menu)
> 
> HTML page uses cleartext form-based authentication (/adm/login?username=&domain=)
> 
> HTML page uses cleartext form-based authentication (/adm/login)


Can be solved by switched to HTTPS, but to avoid warnings, you need a purchased certificate. Nothing we can do about it.


> 
> web program allows cross-site scripting in query string (/adm/login)
> 
> web program allows cross-site scripting in query string (/adm/helpdesk)

Disable helpdesk in domain configuration.

> 
> web server allows cross-site tracing

See above.

> 
> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk

See above.

- Gerd.


More information about the LON-CAPA-admin mailing list