Jump to content

UGAChance

Member
  • Posts

    54
  • Joined

  • Last visited

Everything posted by UGAChance

  1. Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things. I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help. As discoworld mentioned a while back, your best bet is to not use Security Metrics for your PCI compliance ! You dont say what payment gateway you are using and what level of PCI compliance you are trying to obtain but unless the gateway is something unusual or you are looking to get a higher than normal compliance on a shared hosting server, the problem is not CubeCart, php or MySQL - it is Security Metrics themselves. We host a large number of CubeCart sites for ourselves and for clients across a range of shared hosting and dedicated servers and nobody has ever had a problem getting PCI compliance Ian I am not using Security Metrics by choice. I am not sure which company intiated the Security Metrics PCI Compliance test. It is my dad's accounts... I am just playing webmaster since I am a Senior Software Engineer in C/C++ Embedded Application Software.... not a web designer by day, but know enough to do what I need to. I have to have it pass Security Metrics PCI Compliance through Security Metrics. It was either GeoTrust(supllied SSL Cert) or FirstDatat(CC Transaction Company) that intiated the test. It is just like when a website is "VeriSign Verified." I need it to pass in order to post Verified Logo. I ran a program Acunetix Web Vulnerability Scanner 7 and it came up with nothing, so it might be a false positive. P.S. - I do not have SEO turned on... I wonder if the result might be different.
  2. Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things. I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help.
  3. I gave up on the VPS. IPower VPS Support was horrible and couldn't get the site working correctly. GD was installed but not working with PHP. They are expensive for VPS and not worth the hassle. It was reporting 2 of the SQL Blind Injections before and now only 1... I think upgrading PHP to a newer version fixed that. My plan is to try to fix this 1 bug and stay on the Shared Server. Otherwise I will goto another Linux VPS Company like InMotion, Host Gator, myhosting, or GoDaddy. I will let you guys know if I get a fix.
  4. Is "&" a special character? It is missing in there. Could this be the problem in index.php: if(preg_match('#([a-z]{1,6})_([a-z0-9\+]+)\.?([a-z]+)?(\?.*)?$#i', $_SERVER['REQUEST_URI'], $matches)) { Why doesn't CubeCart send all mysql string queries through: string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] ) http://us3.php.net/manual/en/function.mysql-real-escape-string.php
  5. I want to upgrade MySQL from 5.0.82 to 5.5+ or 5.6+.... on CubeCart 4.4.5 Will it work just like that or is there anything that has to be done? Or is it even compatible during a fresh install?
  6. CubeCart 4.4.5...latest MySql 5.0.82 or something like that. We are still trying to get things transferred and running on the new server so I haven't been able to try Security Metrics again.
  7. I just found out that my dad went ahead and paid for a Dedicated Server... something like $1000/year. It was going to be $60/month for a small website and $80/month for a big website. My dad paid for big just because of better Control Panel or something. Now I have the power to upgrade stuff, reboot the server, and stuff like that. Problem solved.
  8. This is what I got back from IPower... so the second 2 may be a problem with Cube Cart. Comment: Hello, I'm sorry. I accidentally sent that before I meant to. For the first two complaints. The solution is to set expose_php to Off in your php.ini, you can do this from your control panel by clicking on CGI and Scripted Language Support, then on PHP Scripting, and making the edits on the following page. The second to complaints are that the application that you are using has Cross Site scripting vulnerabilities. I see that you are using Cube Cart, you will need upgrade to the latest version of Cube Cart, and then contact their support team if there are still reported cross site scripting vulnerabilities. Regards, Robert R Support
  9. The report took 2.26 hours to complete and Cube Cart passed a bunch of tests. Here is the report that I got back from Security Metrics for PCI Compliance.... I know issue 1 and 2 are a web hosting/server problem, but does anyone know if 3 and 4 are MySQL problems or a CubeCart 4 problem? https://www.securitymetrics.com/ Executive Summary Test Result: Fail Date: 2011-05-23 Target IP: ###.###.###.### Test ID: 2819189 Test Length: 2.26 Hours DNS Entry: www.#######.com Total Risk: 18 Start Time: 08:55:47 Finish Time: 11:11:40 TCP/IP Fingerprint OS Estimate: Linux Scan Expiration: 2011-08-21 SecurityMetrics has determined that ########### is NOT COMPLIANT with the PCI scan validation requirement for this computer. The computer fails because a risk of 4 or more was found. You may not use the Security Tested logo until the computer passes. Look in the Security Vulnerabilities section below for instructions to reduce your security risk. Security Vulnerabilities Protocol Port Program Risk TCP 443 https 5 Synopsis : The configuration of PHP on the remote host allows disclosure of sensitive information. Description : The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such an URL triggers an Easter egg built into PHP itself. Other such Easter eggs likely exist, but SMetrics has not checked for them. See also : http://www.0php.com/php_easter_egg.php http://seclists.org/webappsec/2004/q4/32 4 Solution: In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : OSVDB:12184 [More] [Hide] TCP 80 http 5 Synopsis : The configuration of PHP on the remote host allows disclosure of sensitive information. Description : The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such an URL triggers an Easter egg built into PHP itself. Other such Easter eggs likely exist, but SMetrics has not checked for them. See also : http://www.0php.com/php_easter_egg.php http://seclists.org/webappsec/2004/q4/32 4 Solution: In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : OSVDB:12184 [More] [Hide] TCP http/https 4 Possible blind sql injection on http://www.cccoinsatlanta.com/index.php? searchStr=&_a=viewCat&Submit=Go wp --bsql "http://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go" style="display: none;"> "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go" "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go" cat <<EOF > bsql.sh curl -L "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go"> a curl -L "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More] [Hide] TCP http/https 4 Possible blind sql injection on http://www.cccoinsatlanta.com/index.php? _a=viewProd&productId=1059 wp --bsql "http://www.cccoinsatlanta.com/index.php?_a=viewProd&productId=1059" style="display: none;"> "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D1&productId=1059" "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D0&productId=1059" cat <<EOF > bsql.sh curl -L "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D1&productId=1059"> a curl -L "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D0&productId=1059"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More] [Hide]
  10. I just tried a fresh install and had the same problem. I don't know what to do. mysql version mysql Ver 12.22 Distrib 4.0.16 perl versionperl, v5.8.3 php version PHP 4.4.1 (detailed PHP information)
  11. Somebody else had the same problem because I had a typo that said to add images2 field to the store_inventory table... instead it should be image2. Are you sure that you added the image2 table to the database correctly?
  12. I just updated the files to bring it up from CubeCart version 2.0.0 to CubeCart version 2.0.1. I just submitted it to Brooky, so it should be here shortly. 2 minor known bugs: 1. You can't upload a picture #2 if you don't have a picture #1. It will say "image too big" if you do this. 2. You have to upload both pictures at the same time. If you have an image #1 and then go back and try to add an image #2 it will say "image too big" if you do this. I haven't had time to look at why it is doing this. It doesn't do this on my Estore site that has this mod, but it does it on the CubeCart version. I will have to look at what is different.
  13. Typo in install.txt: image2 instead of images2 You should add the field image2 to the store_inventory table.
  14. It seams as though there are too many indians and not enough cheifs... Everyone is running around with their heads cut off about bugs they may have found and no one is taking charge and confirming things.
  15. Brooky or AngP, There have been people posting proposed "fixes" for things. I have not seen you say yes or no to it being a bug or a fix. Could you respond to them so we know whether we should incorporate the fix or not. I can't remember them all but one is the include makethumb.txt in spotlight.php and another is the forgot_pass fix. Thanks, UGAChance P.S. AngP get well soon.
×
×
  • Create New...