[LON-CAPA-admin] PCI Compliance

Stuart Raeburn raeburn at msu.edu
Fri Jan 4 15:35:48 EST 2013 

Hi,

> Any help about fixing these or advice would be greatly appreciated.

>
> web program allows cross-site scripting in query string (/adm/helpdesk)
>
> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>

An updated version of lonsupportreq.pm -- the module which handles  
requests for /adm/helpdesk -- will be included in LON-CAPA 2.11. The  
new version supports (optional) use of CAPTCHA, to verify a human  
completed the web form, and includes changes to prevent cross-site  
scripting (XSS).

For now I have back-ported the changes which prevent XSS to the 2.10  
branch. This version of /adm/helpdesk passes all tests available with  
the XSS Me 0.4.2 plug-in for Firefox.

System administrators for servers running LON-CAPA 2.10 can replace  
the shipped lonsupportreq.pm (rev 1.66) with this patched version (rev  
1.67.2.1) as follows (all on one line).

wget -O /home/httpd/lib/perl/Apache/lonsupportreq.pm  
'http://source.loncapa.org/cgi-bin/cvsweb.cgi/~checkout~/loncom/interface/lonsupportreq.pm?rev=1.67.2.1;content-type=text/plain'

/etc/init.d/httpd reload
(CentOS, Scientific Linux, Red Hat, Fedora)

or

/etc/init.d/apache2 reload
(SuSE, Ubuntu, SLES)


Stuart Raeburn
LON-CAPA Academic Consortium



Quoting Jon Hall <jdh65 at bellsouth.net>:

> My IT guy came to me and indicated that our school has failed a PCI   
> compliance scan because of our lon-capa server.  He said we were   
> going to have to shut it down if I could not get the items on the   
> list taken care of.
>
> Any help about fixing these or advice would be greatly appreciated.   
>  There are suggested solutions in the list my IT guy gave me, but I   
> don't want to go making changes which might affect the lon-capa   
> operations.
>
> Here is a summary of the list items:
>
> port 541 (osiris host IDS agent) open - need to close this port
>
> webserver autoindex enabled
>
> vulnerable Apache version 2.2.3
>
> HTTP TRACE/TRACK Methods allowed
>
> vulnerable web program (iFoto)
>
> HTML page uses cleartext form-based authentication (/adm/roles)
>
> HTML page uses cleartext form-based authentication (/adm/menu)
>
> HTML page uses cleartext form-based authentication   
> (/adm/login?username=&domain=)
>
> HTML page uses cleartext form-based authentication (/adm/login)
>
> web program allows cross-site scripting in query string (/adm/login)
>
> web program allows cross-site scripting in query string (/adm/helpdesk)
>
> web server allows cross-site tracing
>
> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>

More information about the LON-CAPA-admin mailing list