[LON-CAPA-admin] PCI Compliance

Jon Hall jdh65 at bellsouth.net
Mon Jan 14 08:18:45 EST 2013


I quickly re-applied the update and it looks like it took this time.

/home/httpd/lib/perl/Apache/lonsupportreq.pm:# $Id: lonsupportreq.pm,v 1.67.2.1 2013/01/04 19:07:17 raeburn Exp $

Now it's time to get the PCI scan re-done.

Thanks!



On Jan 13, 2013, at 8:01 PM, Stuart Raeburn wrote:

> Hi,
> 
>> I managed to get many to the PCI failure items correct, but am still  getting dinged by the PCI scanning company for cross-site scripting  (despite updating my lonsupportreq.pm as suggested by Stuart).
> 
> Are you sure /home/httpd/lib/perl/Apache/lonsupportreq.pm has actually been updated?
> 
> The ID line reporetd from the installed module (/home/httpd/lib/perl/Apache/lonsupportreq.pm) on your physics.jp2hs.org server is still:
> 
> $Id: lonsupportreq.pm,v 1.66 2011/03/03 17:29:29
> 
> whereas I would expect it to be:
> 
> $Id: lonsupportreq.pm,v 1.67.2.1 2013/01/04 19:07:17
> 
> if lonsupportreq.pm had been updated.
> 
> If you have ssh access to physics.jp2hs.org could you log-in and let me know the output from the following command:
> 
> ls -al /home/httpd/lib/perl/Apache/lonsupportreq.pm
> 
>> Gerd suggested that I can disable helpdesk in domain configuration,  but I have not been able to figure out how to do that.  Any pointers?
> 
> The DC's domain configuration settings GUI interface for LON-CAPA production releases (i.e., 2.10 and older) do *not* support disabling of the "Contact Helpdesk" link, although this feature has been implemented for the upcoming LON-CAPA 2.11.
> 
> Anyway to suppress display of that link on 2.10 and older you need to use a text editor to change the following line in
> 
> /etc/httpd/conf/loncapa.conf
> 
> from
> 
> PerlSetVar     lonSupportEMail    jon.hall at jp2hs.org
> 
> to
> 
> PerlSetVar     lonSupportEMail
> 
> 
> Then do:
> 
> /etc/init.d/httpd reload
> 
> That said, one of the features of LON-CAPA is the ability for a user from any domain in the LON-CAPA network to log-in to any server (including servers from other domains).
> 
> Consequently it is actually desirable that the Contact Helpdesk link is available, such that if for example, a student from the jp2hs domain happens to attempt to log-in to one of the MSU servers (which might occur when your server was busy, for example) and he/she encounters a problem, and log-in fails, any help message composed by the student via the Contact Helpdesk will be routed to the helpdesk for the student's domain (i.e., to you), rather than to e-mail address for the server administrator of the machine.
> 
> Also, I see you have followed my suggestion and installed free SSL certs from startssl.com.  Accordingly, I have updated the entry for jp2l1 to specify https (instead of http) in the authoritative cluster tables advertised by the LON-CAPA Academic Consortium "DNS" servers.
> 
> You should make the same change in /home/httpd/lonTabs/hosts.tab
> i.e., replace:
> 
> jp2l1:jp2:library:physics.jp2hs.org:http:jp2hs.org
> 
> with
> 
> jp2l1:jp2:library:physics.jp2hs.org:https:jp2hs.org
> 
> Lastly, I would encourage you to enable rewrites from http to https by doing the following:
> 
> cd /etc/httpd/conf/
> cp rewrites/loncapa_rewrite_on.conf loncapa_rewrite.conf
> 
> /etc/init.d/httpd reload
> 
> Currently:
> http://physics.jp2hs.org/
> 
> reports a 400 error "Bad Request".
> 
> See section 2.18 "Encrypting server traffic with SSL" on p. 18 of the domain coordination manual for more information:
> 
> https://physics.jp2hs.org/adm/help/domain.manual.pdf
> 
> 
> Stuart Raeburn
> LON-CAPA Academic Consortium
> 
> 
> Quoting Jon Hall <jdh65 at bellsouth.net>:
> 
>> I managed to get many to the PCI failure items correct, but am still  getting dinged by the PCI scanning company for cross-site scripting  (despite updating my lonsupportreq.pm as suggested by Stuart).
>> 
>> Gerd suggested that I can disable helpdesk in domain configuration,  but I have not been able to figure out how to do that.  Any pointers?
>> 
>> Thanks for all assistance,
>> Jon Hall
>> 
>> 
>> On Jan 3, 2013, at 7:55 PM, Gerd Kortemeyer wrote:
>> 
>>> 
>>> 
>>> Can be solved by switched to HTTPS, but to avoid warnings, you need  a purchased certificate. Nothing we can do about it.
>>> 
>>> 
>>>> 
>>>> web program allows cross-site scripting in query string (/adm/login)
>>>> 
>>>> web program allows cross-site scripting in query string (/adm/helpdesk)
>>> 
>>> Disable helpdesk in domain configuration.
>>> 
>>>> 
>>>> web server allows cross-site tracing
>>> 
>>> See above.
>>> 
>>>> 
>>>> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>>> 
>>> See above.
>>> 
>>> - Gerd.
> 
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.lon-capa.org/pipermail/lon-capa-admin/attachments/20130114/ca1b7ab7/attachment.html>


More information about the LON-CAPA-admin mailing list