[LON-CAPA-admin] PCI Compliance

Michael Dugdale michael.dugdale at johnabbott.qc.ca
Fri Jan 4 12:16:50 EST 2013 

Thanks for clarifying about the Apache config.  Already made the changes.


Michael Dugdale
Co-chair
Department of Physics
John Abbott College
21,275 Lakeshore Road
Ste. Anne de Bellevue, Québec
H9X 3L9, Canada
(514) 457-6610 Ext. 5888
michael.dugdale at johnabbott.qc.ca





On 2013-01-03, at 8:55 PM, Gerd Kortemeyer <korte at lite.msu.edu> wrote:

> Hi,
> 
> On Jan 3, 2013, at 8:42 PM, Michael Dugdale <michael.dugdale at johnabbott.qc.ca> wrote:
>> 
>> Out of curiosity, some of the items are Apache defaults that are easy to disable in https.conf
>>> webserver autoindex enabled
>>> HTTP TRACE/TRACK Methods allowed
>> 
>> 
>> Are these needed for the proper functioning of LON-CAPA, or can they be safely disabled?
> 
> Nope, we don't need it. It would be a good idea to disable.
> 
>> 
>> port 541 (osiris host IDS agent) open - need to close this port
> 
> We don't need this port, can be closed on the operation system level.
> 
> 
>> 
>> webserver autoindex enabled
> 
> We don't need this, but it's actually not generally active anyway, as LON-CAPA interferes. Disable in Apache.
> 
>> 
>> vulnerable Apache version 2.2.3
> 
> Should be updated anyway.
> 
> 
>> 
>> HTTP TRACE/TRACK Methods allowed
> 
> Can be disabled.
> 
>> 
>> vulnerable web program (iFoto)
> 
> 
> Huh? No idea where this comes from.
> 
>> 
>> HTML page uses cleartext form-based authentication (/adm/roles)
>> 
>> HTML page uses cleartext form-based authentication (/adm/menu)
>> 
>> HTML page uses cleartext form-based authentication (/adm/login?username=&domain=)
>> 
>> HTML page uses cleartext form-based authentication (/adm/login)
> 
> 
> Can be solved by switched to HTTPS, but to avoid warnings, you need a purchased certificate. Nothing we can do about it.
> 
> 
>> 
>> web program allows cross-site scripting in query string (/adm/login)
>> 
>> web program allows cross-site scripting in query string (/adm/helpdesk)
> 
> Disable helpdesk in domain configuration.
> 
>> 
>> web server allows cross-site tracing
> 
> See above.
> 
>> 
>> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
> 
> See above.
> 
> - Gerd.
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>

More information about the LON-CAPA-admin mailing list