[LON-CAPA-admin] more PCI compliance

Gerd Kortemeyer korte at lite.msu.edu
Mon Jan 28 08:31:53 EST 2013 

Hi,

Just a clarification before everyone starts to worry: these are not real security holes in LON-CAPA!

It's nice to be "PCI compliant," but 

a) there is actually no reason for us to be - we do not handle Payment Card Industry data

b) the changes below are basically working around a trigger-happy piece of other software

But, whatever, now we are PCI compliant. These changes are very nice, in case in the future another network administrator decides to do an audit.

Also, a future version of LON-CAPA can now include credit card input and e-commerce features, so we can sell green boxes.

- Gerd.

On Jan 27, 2013, at 10:13 PM, Stuart Raeburn <raeburn at msu.edu> wrote:

> Hi,
> 
> Item 1:
> 
>> Data Sent: GET /adm/css/index.php?dir=../../../../../../ HTTP/1.0
> 
> Given that a LON-CAPA server does not have php installed, I don't see a problem with echoing the contents of LON-CAPA's standard css in response to /adm/css/index.php.  However, the following change will cause a blank page to be returned instead, in response to a request for /adm/css/index.php
> 
> To eliminate this issue, as root use a text editor to modify line 1287 of /etc/httpd/conf/loncapa_apache.conf
> 
> replace:
> 
> <LocationMatch "^/adm/css">
> 
> with:
> 
> <LocationMatch "^/adm/css/.*\.css$">
> 
> then do:
> 
> /etc/init.d/httpd reload
> 
> 
> Item 2.
> 
>> /adm/login?username=&domain=<SCRIPT>alert('SecurityMet  rics')</SCRIPT> HTTP/1.0
>> Data Received: codedom = "<SCRIPT>alert('SecurityMetrics')</SCRIPT>";
> 
> To eliminate this issue, as root use a text editor to modify line 640 of /home/httpd/lib/perl/Apache/lonlogin.pm
> 
> replace:
> 
>    var codedom = document.client.udom.value;
> 
> with:
> 
>    var possdom = document.client.udom.value;
>    var codedom = possdom.replace( new RegExp("[^A-Za-z0-9.\\-]","g"),'');
> 
> then do:
> 
> /etc/init.d/httpd reload
> 
> Please contact me via:
> helpdesk at loncapa.org if you have any additional questions.
> 
> General note for all list subscribers ...
> Both of these changes will be in the forthcoming LON-CAPA 2.11.0 release.
> 
> 
> Stuart Raeburn
> LON-CAPA Academic Consortium
> helpdesk at loncapa.org
> 
> 
> Quoting Jon Hall <jdh65 at bellsouth.net>:
> 
>> After much wailing and gnashing of teeth, and with the generous help  of many on this mailing list (thank you very much!), I have been  able to solve nearly all of the issues which were causing my  LON-CAPA server to fail a PCI compliance scan.
>> 
>> Unfortunately, there are still 2 issues that I have been unable to  resolve.  I am posting the complete message sent by the scanning  company, in case any one can offer any suggestions.  Thanks in  advance!
>> 
>> Issue 1:
>> Title: vulnerable web program (iFoto)
>> Impact: A remote attacker could execute arbitrary commands, create  or overwrite files, or view files or directories on the web server.
>> Data Sent: GET /adm/css/index.php?dir=../../../../../../ HTTP/1.0
>> Host: 66.147.103.10
>> User- Agent: Mozilla/4.0
>> Connection: Keep-alive
>> Data Received: span.LC_cusr_emph {
>> Resolution: 08/07/07 CVE 2007-4092 A directory traversal  vulnerability in the index.php script in iFoto 1.0 allows remote  attackers to view the contents of arbitrary directories by placing  dot- dot-slash strings into the dir parameter.
>> Resolution: Edit the source code of index.php to remove invalid  characters from the dir parameter or apply a fix from the vendor  when available.
>> Risk Factor: Medium/ CVSS2
>> Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
>> CVE: CVE-2007-4092
>> BID: 25065
>> 
>> 
>> Issue 2:
>> Title: web program allows cross-site scripting in query string (/adm/login)
>> Impact: A malicious web site could cause arbitrary commands to run  on a client through a specially crafted link to the vulnerable  server. In some cases, this could result in the compromise of the  client's cookies, leading to unauthorized access to web applications.
>> Data Sent: GET  /adm/login?username=&domain=<SCRIPT>alert('SecurityMet  rics')</SCRIPT> HTTP/1.0
>> Host: 66.147.103.10
>> User-Agent: Mozilla/4.0
>> Connection: Keep-alive
>> Data Received: codedom = "<SCRIPT>alert('SecurityMetrics')</SCRIPT>";
>> Resolution: Cross-site scripting can be fixed either by creating a  customized error page which does not display the URI,
> 
> 
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list