[LON-CAPA-admin] PCI Compliance

Gerd Kortemeyer korte at lite.msu.edu
Mon Jan 14 09:09:01 EST 2013 

Hi,

Make sure to restart Apache after installing new handlers.

- Gerd.

On Jan 14, 2013, at 8:18 AM, Jon Hall <jdh65 at bellsouth.net> wrote:

> I quickly re-applied the update and it looks like it took this time.
> 
> /home/httpd/lib/perl/Apache/lonsupportreq.pm:# $Id: lonsupportreq.pm,v 1.67.2.1 2013/01/04 19:07:17 raeburn Exp $
> 
> 
> Now it's time to get the PCI scan re-done.
> 
> Thanks!
> 
> 
> 
> On Jan 13, 2013, at 8:01 PM, Stuart Raeburn wrote:
> 
>> Hi,
>> 
>>> I managed to get many to the PCI failure items correct, but am still  getting dinged by the PCI scanning company for cross-site scripting  (despite updating my lonsupportreq.pm as suggested by Stuart).
>> 
>> Are you sure /home/httpd/lib/perl/Apache/lonsupportreq.pm has actually been updated?
>> 
>> The ID line reporetd from the installed module (/home/httpd/lib/perl/Apache/lonsupportreq.pm) on your physics.jp2hs.org server is still:
>> 
>> $Id: lonsupportreq.pm,v 1.66 2011/03/03 17:29:29
>> 
>> whereas I would expect it to be:
>> 
>> $Id: lonsupportreq.pm,v 1.67.2.1 2013/01/04 19:07:17
>> 
>> if lonsupportreq.pm had been updated.
>> 
>> If you have ssh access to physics.jp2hs.org could you log-in and let me know the output from the following command:
>> 
>> ls -al /home/httpd/lib/perl/Apache/lonsupportreq.pm
>> 
>>> Gerd suggested that I can disable helpdesk in domain configuration,  but I have not been able to figure out how to do that.  Any pointers?
>> 
>> The DC's domain configuration settings GUI interface for LON-CAPA production releases (i.e., 2.10 and older) do *not* support disabling of the "Contact Helpdesk" link, although this feature has been implemented for the upcoming LON-CAPA 2.11.
>> 
>> Anyway to suppress display of that link on 2.10 and older you need to use a text editor to change the following line in
>> 
>> /etc/httpd/conf/loncapa.conf
>> 
>> from
>> 
>> PerlSetVar     lonSupportEMail    jon.hall at jp2hs.org
>> 
>> to
>> 
>> PerlSetVar     lonSupportEMail
>> 
>> 
>> Then do:
>> 
>> /etc/init.d/httpd reload
>> 
>> That said, one of the features of LON-CAPA is the ability for a user from any domain in the LON-CAPA network to log-in to any server (including servers from other domains).
>> 
>> Consequently it is actually desirable that the Contact Helpdesk link is available, such that if for example, a student from the jp2hs domain happens to attempt to log-in to one of the MSU servers (which might occur when your server was busy, for example) and he/she encounters a problem, and log-in fails, any help message composed by the student via the Contact Helpdesk will be routed to the helpdesk for the student's domain (i.e., to you), rather than to e-mail address for the server administrator of the machine.
>> 
>> Also, I see you have followed my suggestion and installed free SSL certs from startssl.com.  Accordingly, I have updated the entry for jp2l1 to specify https (instead of http) in the authoritative cluster tables advertised by the LON-CAPA Academic Consortium "DNS" servers.
>> 
>> You should make the same change in /home/httpd/lonTabs/hosts.tab
>> i.e., replace:
>> 
>> jp2l1:jp2:library:physics.jp2hs.org:http:jp2hs.org
>> 
>> with
>> 
>> jp2l1:jp2:library:physics.jp2hs.org:https:jp2hs.org
>> 
>> Lastly, I would encourage you to enable rewrites from http to https by doing the following:
>> 
>> cd /etc/httpd/conf/
>> cp rewrites/loncapa_rewrite_on.conf loncapa_rewrite.conf
>> 
>> /etc/init.d/httpd reload
>> 
>> Currently:
>> http://physics.jp2hs.org/
>> 
>> reports a 400 error "Bad Request".
>> 
>> See section 2.18 "Encrypting server traffic with SSL" on p. 18 of the domain coordination manual for more information:
>> 
>> https://physics.jp2hs.org/adm/help/domain.manual.pdf
>> 
>> 
>> Stuart Raeburn
>> LON-CAPA Academic Consortium
>> 
>> 
>> Quoting Jon Hall <jdh65 at bellsouth.net>:
>> 
>>> I managed to get many to the PCI failure items correct, but am still  getting dinged by the PCI scanning company for cross-site scripting  (despite updating my lonsupportreq.pm as suggested by Stuart).
>>> 
>>> Gerd suggested that I can disable helpdesk in domain configuration,  but I have not been able to figure out how to do that.  Any pointers?
>>> 
>>> Thanks for all assistance,
>>> Jon Hall
>>> 
>>> 
>>> On Jan 3, 2013, at 7:55 PM, Gerd Kortemeyer wrote:
>>> 
>>>> 
>>>> 
>>>> Can be solved by switched to HTTPS, but to avoid warnings, you need  a purchased certificate. Nothing we can do about it.
>>>> 
>>>> 
>>>>> 
>>>>> web program allows cross-site scripting in query string (/adm/login)
>>>>> 
>>>>> web program allows cross-site scripting in query string (/adm/helpdesk)
>>>> 
>>>> Disable helpdesk in domain configuration.
>>>> 
>>>>> 
>>>>> web server allows cross-site tracing
>>>> 
>>>> See above.
>>>> 
>>>>> 
>>>>> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>>>> 
>>>> See above.
>>>> 
>>>> - Gerd.
>> 
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> 
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list