[LON-CAPA-admin] PCI Compliance
Stuart Raeburn
raeburn at msu.edu
Sun Jan 13 21:01:33 EST 2013
Hi,
> I managed to get many to the PCI failure items correct, but am still
> getting dinged by the PCI scanning company for cross-site scripting
> (despite updating my lonsupportreq.pm as suggested by Stuart).
Are you sure /home/httpd/lib/perl/Apache/lonsupportreq.pm has actually
been updated?
The ID line reporetd from the installed module
(/home/httpd/lib/perl/Apache/lonsupportreq.pm) on your
physics.jp2hs.org server is still:
$Id: lonsupportreq.pm,v 1.66 2011/03/03 17:29:29
whereas I would expect it to be:
$Id: lonsupportreq.pm,v 1.67.2.1 2013/01/04 19:07:17
if lonsupportreq.pm had been updated.
If you have ssh access to physics.jp2hs.org could you log-in and let
me know the output from the following command:
ls -al /home/httpd/lib/perl/Apache/lonsupportreq.pm
> Gerd suggested that I can disable helpdesk in domain configuration,
> but I have not been able to figure out how to do that. Any pointers?
The DC's domain configuration settings GUI interface for LON-CAPA
production releases (i.e., 2.10 and older) do *not* support disabling
of the "Contact Helpdesk" link, although this feature has been
implemented for the upcoming LON-CAPA 2.11.
Anyway to suppress display of that link on 2.10 and older you need to
use a text editor to change the following line in
/etc/httpd/conf/loncapa.conf
from
PerlSetVar lonSupportEMail jon.hall at jp2hs.org
to
PerlSetVar lonSupportEMail
Then do:
/etc/init.d/httpd reload
That said, one of the features of LON-CAPA is the ability for a user
from any domain in the LON-CAPA network to log-in to any server
(including servers from other domains).
Consequently it is actually desirable that the Contact Helpdesk link
is available, such that if for example, a student from the jp2hs
domain happens to attempt to log-in to one of the MSU servers (which
might occur when your server was busy, for example) and he/she
encounters a problem, and log-in fails, any help message composed by
the student via the Contact Helpdesk will be routed to the helpdesk
for the student's domain (i.e., to you), rather than to e-mail address
for the server administrator of the machine.
Also, I see you have followed my suggestion and installed free SSL
certs from startssl.com. Accordingly, I have updated the entry for
jp2l1 to specify https (instead of http) in the authoritative cluster
tables advertised by the LON-CAPA Academic Consortium "DNS" servers.
You should make the same change in /home/httpd/lonTabs/hosts.tab
i.e., replace:
jp2l1:jp2:library:physics.jp2hs.org:http:jp2hs.org
with
jp2l1:jp2:library:physics.jp2hs.org:https:jp2hs.org
Lastly, I would encourage you to enable rewrites from http to https by
doing the following:
cd /etc/httpd/conf/
cp rewrites/loncapa_rewrite_on.conf loncapa_rewrite.conf
/etc/init.d/httpd reload
Currently:
http://physics.jp2hs.org/
reports a 400 error "Bad Request".
See section 2.18 "Encrypting server traffic with SSL" on p. 18 of the
domain coordination manual for more information:
https://physics.jp2hs.org/adm/help/domain.manual.pdf
Stuart Raeburn
LON-CAPA Academic Consortium
Quoting Jon Hall <jdh65 at bellsouth.net>:
> I managed to get many to the PCI failure items correct, but am still
> getting dinged by the PCI scanning company for cross-site scripting
> (despite updating my lonsupportreq.pm as suggested by Stuart).
>
> Gerd suggested that I can disable helpdesk in domain configuration,
> but I have not been able to figure out how to do that. Any pointers?
>
> Thanks for all assistance,
> Jon Hall
>
>
> On Jan 3, 2013, at 7:55 PM, Gerd Kortemeyer wrote:
>
>>
>>
>> Can be solved by switched to HTTPS, but to avoid warnings, you need
>> a purchased certificate. Nothing we can do about it.
>>
>>
>>>
>>> web program allows cross-site scripting in query string (/adm/login)
>>>
>>> web program allows cross-site scripting in query string (/adm/helpdesk)
>>
>> Disable helpdesk in domain configuration.
>>
>>>
>>> web server allows cross-site tracing
>>
>> See above.
>>
>>>
>>> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>>
>> See above.
>>
>> - Gerd.
More information about the LON-CAPA-admin
mailing list