[LON-CAPA-admin] PCI Compliance

Stuart Raeburn raeburn at msu.edu
Thu Jan 3 22:36:29 EST 2013 

Hi,

Some clarifications ...

> Can be solved by switched to HTTPS, but to avoid warnings, you need   
> a purchased certificate. Nothing we can do about it.

Certificates are available for use with HTTPS that are free and will  
not cause the client browser to display warnings (e.g., the class 1  
certs from http://www.startssl.com/)

Class 1 certs support one signed certificate per server (i.e., no  
warning for the hostname, but aliases will display a warning) and you  
need to be able to receive e-mail for the top level domain in order to  
submit the certificate signing request.

I use these certs for a number of LON-CAPA Academic Consortium  
services, e.g., https://support.loncapa.org and  
https://testdrive.loncapa.org
as I receive e-mail sent to postmaster for the top level domain (loncapa.org).

>> vulnerable Apache version 2.2.3
>
> Should be updated anyway.
>

If the scan is simply reporting the information from the response header:

Server: Apache/2.2.3 (CentOS)

then that is likely an incomplete picture, given that the change log  
in the .spec file for 2.2.3-65 for CentOS 5 -- the latest Apache  
available for this distro, and released November 12, 2012 -- lists  
security fixes for 26 different CVE vulnerabilities (see below) since  
the original 2.2.3 (July 2006).

For the majority of packages used by LON-CAPA (including Apache) the  
latest package provided by the distro vendor/maintainer (e.g., in  
updates) will be the one in use.  It has been my practice to only  
provide rpms/debs in the repos at install.loncapa.org for packages  
unavailable from a distro's standard repos, or those for which a newer  
version is needed, e.g., gnuplot 4.4 for LON-CAPA 2.11.

The .spec file for httpd-2.2.3-65.el5.centos.3 includes 65 patches  
since the original 2.2.3 (July 2006), and the change log lists the  
following security fixes:

CVE-2012-0053, CVE-2012-0031, CVE-2011-3607, CVE-2011-3192, CVE-2011-3368,
CVE-2011-3192, CVE-2010-1452, CVE-2010-2791, CVE-2009-3555,  
CVE-2009-3555, CVE-2009-3094, CVE-2009-3095, CVE-2009-1890,  
CVE-2009-1891  CVE-2008-1678, CVE-2009-1195, CVE-2008-2939,  
CVE-2007-6388, CVE-2007-6421, CVE-2007-6422, CVE-2007-4465,  
CVE-2007-5000, CVE-2007-3847, CVE-2007-1863, CVE-2007-3304,
CVE-2006-5752


Stuart Raeburn
LON-CAPA Academic Consortium


Quoting Gerd Kortemeyer <korte at lite.msu.edu>:

> Hi,
>
> On Jan 3, 2013, at 8:42 PM, Michael Dugdale   
> <michael.dugdale at johnabbott.qc.ca> wrote:
>>
>> Out of curiosity, some of the items are Apache defaults that are   
>> easy to disable in https.conf
>>> webserver autoindex enabled
>>> HTTP TRACE/TRACK Methods allowed
>>
>>
>> Are these needed for the proper functioning of LON-CAPA, or can   
>> they be safely disabled?
>
> Nope, we don't need it. It would be a good idea to disable.
>
>>
>> port 541 (osiris host IDS agent) open - need to close this port
>
> We don't need this port, can be closed on the operation system level.
>
>
>>
>> webserver autoindex enabled
>
> We don't need this, but it's actually not generally active anyway,   
> as LON-CAPA interferes. Disable in Apache.
>
>>
>> vulnerable Apache version 2.2.3
>
> Should be updated anyway.
>
>
>>
>> HTTP TRACE/TRACK Methods allowed
>
> Can be disabled.
>
>>
>> vulnerable web program (iFoto)
>
>
> Huh? No idea where this comes from.
>
>>
>> HTML page uses cleartext form-based authentication (/adm/roles)
>>
>> HTML page uses cleartext form-based authentication (/adm/menu)
>>
>> HTML page uses cleartext form-based authentication   
>> (/adm/login?username=&domain=)
>>
>> HTML page uses cleartext form-based authentication (/adm/login)
>
>
> Can be solved by switched to HTTPS, but to avoid warnings, you need   
> a purchased certificate. Nothing we can do about it.
>
>
>>
>> web program allows cross-site scripting in query string (/adm/login)
>>
>> web program allows cross-site scripting in query string (/adm/helpdesk)
>
> Disable helpdesk in domain configuration.
>
>>
>> web server allows cross-site tracing
>
> See above.
>
>>
>> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>
> See above.
>
> - Gerd.

More information about the LON-CAPA-admin mailing list