[LON-CAPA-admin] more PCI compliance

Stuart Raeburn raeburn at msu.edu
Sun Jan 27 22:13:30 EST 2013 

Hi,

Item 1:

> Data Sent: GET /adm/css/index.php?dir=../../../../../../ HTTP/1.0

Given that a LON-CAPA server does not have php installed, I don't see  
a problem with echoing the contents of LON-CAPA's standard css in  
response to /adm/css/index.php.  However, the following change will  
cause a blank page to be returned instead, in response to a request  
for /adm/css/index.php

To eliminate this issue, as root use a text editor to modify line 1287  
of /etc/httpd/conf/loncapa_apache.conf

replace:

<LocationMatch "^/adm/css">

with:

<LocationMatch "^/adm/css/.*\.css$">

then do:

/etc/init.d/httpd reload


Item 2.

> /adm/login?username=&domain=<SCRIPT>alert('SecurityMet   
> rics')</SCRIPT> HTTP/1.0
> Data Received: codedom = "<SCRIPT>alert('SecurityMetrics')</SCRIPT>";

To eliminate this issue, as root use a text editor to modify line 640  
of /home/httpd/lib/perl/Apache/lonlogin.pm

replace:

     var codedom = document.client.udom.value;

with:

     var possdom = document.client.udom.value;
     var codedom = possdom.replace( new RegExp("[^A-Za-z0-9.\\-]","g"),'');

then do:

/etc/init.d/httpd reload

Please contact me via:
helpdesk at loncapa.org if you have any additional questions.

General note for all list subscribers ...
Both of these changes will be in the forthcoming LON-CAPA 2.11.0 release.


Stuart Raeburn
LON-CAPA Academic Consortium
helpdesk at loncapa.org


Quoting Jon Hall <jdh65 at bellsouth.net>:

> After much wailing and gnashing of teeth, and with the generous help  
>  of many on this mailing list (thank you very much!), I have been   
> able to solve nearly all of the issues which were causing my   
> LON-CAPA server to fail a PCI compliance scan.
>
> Unfortunately, there are still 2 issues that I have been unable to   
> resolve.  I am posting the complete message sent by the scanning   
> company, in case any one can offer any suggestions.  Thanks in   
> advance!
>
> Issue 1:
> Title: vulnerable web program (iFoto)
> Impact: A remote attacker could execute arbitrary commands, create   
> or overwrite files, or view files or directories on the web server.
> Data Sent: GET /adm/css/index.php?dir=../../../../../../ HTTP/1.0
> Host: 66.147.103.10
> User- Agent: Mozilla/4.0
> Connection: Keep-alive
> Data Received: span.LC_cusr_emph {
> Resolution: 08/07/07 CVE 2007-4092 A directory traversal   
> vulnerability in the index.php script in iFoto 1.0 allows remote   
> attackers to view the contents of arbitrary directories by placing   
> dot- dot-slash strings into the dir parameter.
> Resolution: Edit the source code of index.php to remove invalid   
> characters from the dir parameter or apply a fix from the vendor   
> when available.
> Risk Factor: Medium/ CVSS2
> Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
> CVE: CVE-2007-4092
> BID: 25065
>
>
> Issue 2:
> Title: web program allows cross-site scripting in query string (/adm/login)
> Impact: A malicious web site could cause arbitrary commands to run   
> on a client through a specially crafted link to the vulnerable   
> server. In some cases, this could result in the compromise of the   
> client's cookies, leading to unauthorized access to web applications.
> Data Sent: GET   
> /adm/login?username=&domain=<SCRIPT>alert('SecurityMet   
> rics')</SCRIPT> HTTP/1.0
> Host: 66.147.103.10
> User-Agent: Mozilla/4.0
> Connection: Keep-alive
> Data Received: codedom = "<SCRIPT>alert('SecurityMetrics')</SCRIPT>";
> Resolution: Cross-site scripting can be fixed either by creating a   
> customized error page which does not display the URI,

More information about the LON-CAPA-admin mailing list