[LON-CAPA-admin] PCI Compliance

Jon Hall jdh65 at bellsouth.net
Mon Jan 14 10:52:50 EST 2013 

The hosts.tab already had the https edit shown below.  Perhaps when I ran ./UPDATE after switching the file was modified?

Also, when running ./UPDATE item 13 is "allow only secure connections." Should I change that to yes?  Or does that refer to the internal communications on port 5663? 




On Jan 13, 2013, at 8:01 PM, Stuart Raeburn wrote:

> Also, I see you have followed my suggestion and installed free SSL certs from startssl.com.  Accordingly, I have updated the entry for jp2l1 to specify https (instead of http) in the authoritative cluster tables advertised by the LON-CAPA Academic Consortium "DNS" servers.
> 
> You should make the same change in /home/httpd/lonTabs/hosts.tab
> i.e., replace:
> 
> jp2l1:jp2:library:physics.jp2hs.org:http:jp2hs.org
> 
> with
> 
> jp2l1:jp2:library:physics.jp2hs.org:https:jp2hs.org
> 
> Lastly, I would encourage you to enable rewrites from http to https by doing the following:
> 
> cd /etc/httpd/conf/
> cp rewrites/loncapa_rewrite_on.conf loncapa_rewrite.conf
> 
> /etc/init.d/httpd reload
> 
> Currently:
> http://physics.jp2hs.org/
> 
> reports a 400 error "Bad Request".
> 
> See section 2.18 "Encrypting server traffic with SSL" on p. 18 of the domain coordination manual for more information:
> 
> https://physics.jp2hs.org/adm/help/domain.manual.pdf
> 
> 
> Stuart Raeburn
> LON-CAPA Academic Consortium
> 
> 
> Quoting Jon Hall <jdh65 at bellsouth.net>:
> 
>> I managed to get many to the PCI failure items correct, but am still  getting dinged by the PCI scanning company for cross-site scripting  (despite updating my lonsupportreq.pm as suggested by Stuart).
>> 
>> Gerd suggested that I can disable helpdesk in domain configuration,  but I have not been able to figure out how to do that.  Any pointers?
>> 
>> Thanks for all assistance,
>> Jon Hall
>> 
>> 
>> On Jan 3, 2013, at 7:55 PM, Gerd Kortemeyer wrote:
>> 
>>> 
>>> 
>>> Can be solved by switched to HTTPS, but to avoid warnings, you need  a purchased certificate. Nothing we can do about it.
>>> 
>>> 
>>>> 
>>>> web program allows cross-site scripting in query string (/adm/login)
>>>> 
>>>> web program allows cross-site scripting in query string (/adm/helpdesk)
>>> 
>>> Disable helpdesk in domain configuration.
>>> 
>>>> 
>>>> web server allows cross-site tracing
>>> 
>>> See above.
>>> 
>>>> 
>>>> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>>> 
>>> See above.
>>> 
>>> - Gerd.
> 
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list