UGAChance Posted May 23, 2011 Share Posted May 23, 2011 The report took 2.26 hours to complete and Cube Cart passed a bunch of tests. Here is the report that I got back from Security Metrics for PCI Compliance.... I know issue 1 and 2 are a web hosting/server problem, but does anyone know if 3 and 4 are MySQL problems or a CubeCart 4 problem? https://www.securitymetrics.com/ Executive Summary Test Result: Fail Date: 2011-05-23 Target IP: ###.###.###.### Test ID: 2819189 Test Length: 2.26 Hours DNS Entry: www.#######.com Total Risk: 18 Start Time: 08:55:47 Finish Time: 11:11:40 TCP/IP Fingerprint OS Estimate: Linux Scan Expiration: 2011-08-21 SecurityMetrics has determined that ########### is NOT COMPLIANT with the PCI scan validation requirement for this computer. The computer fails because a risk of 4 or more was found. You may not use the Security Tested logo until the computer passes. Look in the Security Vulnerabilities section below for instructions to reduce your security risk. Security Vulnerabilities Protocol Port Program Risk TCP 443 https 5 Synopsis : The configuration of PHP on the remote host allows disclosure of sensitive information. Description : The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such an URL triggers an Easter egg built into PHP itself. Other such Easter eggs likely exist, but SMetrics has not checked for them. See also : http://www.0php.com/php_easter_egg.php http://seclists.org/webappsec/2004/q4/32 4 Solution: In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : OSVDB:12184 [More] [Hide] TCP 80 http 5 Synopsis : The configuration of PHP on the remote host allows disclosure of sensitive information. Description : The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such an URL triggers an Easter egg built into PHP itself. Other such Easter eggs likely exist, but SMetrics has not checked for them. See also : http://www.0php.com/php_easter_egg.php http://seclists.org/webappsec/2004/q4/32 4 Solution: In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : OSVDB:12184 [More] [Hide] TCP http/https 4 Possible blind sql injection on http://www.cccoinsatlanta.com/index.php? searchStr=&_a=viewCat&Submit=Go wp --bsql "http://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go" style="display: none;"> "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go" "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go" cat <<EOF > bsql.sh curl -L "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go"> a curl -L "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More] [Hide] TCP http/https 4 Possible blind sql injection on http://www.cccoinsatlanta.com/index.php? _a=viewProd&productId=1059 wp --bsql "http://www.cccoinsatlanta.com/index.php?_a=viewProd&productId=1059" style="display: none;"> "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D1&productId=1059" "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D0&productId=1059" cat <<EOF > bsql.sh curl -L "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D1&productId=1059"> a curl -L "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D0&productId=1059"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More] [Hide] Quote Link to comment Share on other sites More sharing options...
UGAChance Posted May 24, 2011 Author Share Posted May 24, 2011 This is what I got back from IPower... so the second 2 may be a problem with Cube Cart. Comment: Hello, I'm sorry. I accidentally sent that before I meant to. For the first two complaints. The solution is to set expose_php to Off in your php.ini, you can do this from your control panel by clicking on CGI and Scripted Language Support, then on PHP Scripting, and making the edits on the following page. The second to complaints are that the application that you are using has Cross Site scripting vulnerabilities. I see that you are using Cube Cart, you will need upgrade to the latest version of Cube Cart, and then contact their support team if there are still reported cross site scripting vulnerabilities. Regards, Robert R Support Quote Link to comment Share on other sites More sharing options...
Guest discoworld Posted May 24, 2011 Share Posted May 24, 2011 I know this won't help much, but we have had an absolute nightmare wth Security Metrics and PCI DSS compliance. The end result was that CC4 was fine, but my host company where using a version of MySQL that didn't pass - but this is a large host that won't change and doesn't feel the need to. In fact to start with Security Metrics where saying we should move to a beta version of MySQL which our host found bizarre. We then were informed that the only way to beat this was to move to a dedicated server.... not going to happen. So we are now changing gateway and card processor to resolve the problems. Quote Link to comment Share on other sites More sharing options...
UGAChance Posted May 25, 2011 Author Share Posted May 25, 2011 I just found out that my dad went ahead and paid for a Dedicated Server... something like $1000/year. It was going to be $60/month for a small website and $80/month for a big website. My dad paid for big just because of better Control Panel or something. Now I have the power to upgrade stuff, reboot the server, and stuff like that. Problem solved. Quote Link to comment Share on other sites More sharing options...
Guest discoworld Posted May 25, 2011 Share Posted May 25, 2011 Let us know if security metrics then pass your website with the dedicated server ? I am curious as this is a possible route for us Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted May 26, 2011 Share Posted May 26, 2011 Let us know if security metrics then pass your website with the dedicated server ? I am curious as this is a possible route for us Just taking a dedicated server will not fix any of these points although as it is "your" server then you can at least make the changes that you want. However, unless you are a Linux expert or pay for managed support (where you will still need to know *what* to ask to be changed or configured on your server) then you are likely to have a lot more problems then being with a reputable hosting company who *should* know how to set a server up. I say *should*, as there are so many hosting companies out there that dont know. The first two points (which are essentially the same point anyway) are completely pointless. Their reason for reporting this is that it reveals that the server is running php - the additional code that is added to cause this problem can only be added to the end of a url that is a php page. The fact that you are adding it to a php page has already "revealed" that you are running php !! You dont say what version of CubeCart and MySQL you are running and more importantly what if any mods you have installed (these are the most common cause of sql injection vulnerabilities) therefore there is not enough information to say what the problem is but it would be interesting to know what Al has to say about this IF you are running a recent version of CubeCart AND MySQL Ian Quote Link to comment Share on other sites More sharing options...
UGAChance Posted May 31, 2011 Author Share Posted May 31, 2011 CubeCart 4.4.5...latest MySql 5.0.82 or something like that. We are still trying to get things transferred and running on the new server so I haven't been able to try Security Metrics again. Quote Link to comment Share on other sites More sharing options...
UGAChance Posted June 7, 2011 Author Share Posted June 7, 2011 Is "&" a special character? It is missing in there. Could this be the problem in index.php: if(preg_match('#([a-z]{1,6})_([a-z0-9\+]+)\.?([a-z]+)?(\?.*)?$#i', $_SERVER['REQUEST_URI'], $matches)) { Why doesn't CubeCart send all mysql string queries through: string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] ) http://us3.php.net/manual/en/function.mysql-real-escape-string.php Quote Link to comment Share on other sites More sharing options...
Guest ashsinha Posted June 7, 2011 Share Posted June 7, 2011 The payment is worthy if you're not quite familiar with the cubecart system. Generally speaking, cubecart is secure and "out of the box" powerful shopping cart as their website already said. Quote Link to comment Share on other sites More sharing options...
UGAChance Posted June 8, 2011 Author Share Posted June 8, 2011 I gave up on the VPS. IPower VPS Support was horrible and couldn't get the site working correctly. GD was installed but not working with PHP. They are expensive for VPS and not worth the hassle. It was reporting 2 of the SQL Blind Injections before and now only 1... I think upgrading PHP to a newer version fixed that. My plan is to try to fix this 1 bug and stay on the Shared Server. Otherwise I will goto another Linux VPS Company like InMotion, Host Gator, myhosting, or GoDaddy. I will let you guys know if I get a fix. Quote Link to comment Share on other sites More sharing options...
UGAChance Posted June 8, 2011 Author Share Posted June 8, 2011 The payment is worthy if you're not quite familiar with the cubecart system. Generally speaking, cubecart is secure and "out of the box" powerful shopping cart as their website already said. Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things. I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted June 8, 2011 Share Posted June 8, 2011 The payment is worthy if you're not quite familiar with the cubecart system. Generally speaking, cubecart is secure and "out of the box" powerful shopping cart as their website already said. Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things. I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help. As discoworld mentioned a while back, your best bet is to not use Security Metrics for your PCI compliance ! You dont say what payment gateway you are using and what level of PCI compliance you are trying to obtain but unless the gateway is something unusual or you are looking to get a higher than normal compliance on a shared hosting server, the problem is not CubeCart, php or MySQL - it is Security Metrics themselves. We host a large number of CubeCart sites for ourselves and for clients across a range of shared hosting and dedicated servers and nobody has ever had a problem getting PCI compliance Ian Quote Link to comment Share on other sites More sharing options...
UGAChance Posted June 9, 2011 Author Share Posted June 9, 2011 The payment is worthy if you're not quite familiar with the cubecart system. Generally speaking, cubecart is secure and "out of the box" powerful shopping cart as their website already said. Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things. I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help. As discoworld mentioned a while back, your best bet is to not use Security Metrics for your PCI compliance ! You dont say what payment gateway you are using and what level of PCI compliance you are trying to obtain but unless the gateway is something unusual or you are looking to get a higher than normal compliance on a shared hosting server, the problem is not CubeCart, php or MySQL - it is Security Metrics themselves. We host a large number of CubeCart sites for ourselves and for clients across a range of shared hosting and dedicated servers and nobody has ever had a problem getting PCI compliance Ian I am not using Security Metrics by choice. I am not sure which company intiated the Security Metrics PCI Compliance test. It is my dad's accounts... I am just playing webmaster since I am a Senior Software Engineer in C/C++ Embedded Application Software.... not a web designer by day, but know enough to do what I need to. I have to have it pass Security Metrics PCI Compliance through Security Metrics. It was either GeoTrust(supllied SSL Cert) or FirstDatat(CC Transaction Company) that intiated the test. It is just like when a website is "VeriSign Verified." I need it to pass in order to post Verified Logo. I ran a program Acunetix Web Vulnerability Scanner 7 and it came up with nothing, so it might be a false positive. P.S. - I do not have SEO turned on... I wonder if the result might be different. Quote Link to comment Share on other sites More sharing options...
UGAChance Posted June 16, 2011 Author Share Posted June 16, 2011 httx://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go http://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go httx://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go%22%3Cspan http://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go%22%3Cspan httx://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go%22 http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go%22 httx://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go%22 http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go%22 httx://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go%22%3E http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go%22%3E httx://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go%22%3E http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go%22%3E It is not sanitizing #4 and #6 that have "%3D0" Quote Link to comment Share on other sites More sharing options...
UGAChance Posted June 22, 2011 Author Share Posted June 22, 2011 FYI: CubeCart 5 passed. I did an upgrade from CubeCart 4.4.5 to CubeCart 5 ... same database and all. Quote Link to comment Share on other sites More sharing options...
Guest Posted June 23, 2011 Share Posted June 23, 2011 Just an FYI for anybody following this. The results they list are False Positives. Note that they said "Possible blind sql injection". The fact is that the values entered were completely sanitized and therefore harmless. You must remember that these are AUTOMATED tests. Once reviewed by humans, they should be marked as false positives and retested. There is ZERO reason to move to a dedicated server or even VPS based on something so blindingly trivial. :w00t: Quote Link to comment Share on other sites More sharing options...
Guest discoworld Posted June 23, 2011 Share Posted June 23, 2011 The thing is William - when you talk to them, it's a case of they are right and the rest of the world are wrong. HSBC forced us to use Security Metrics and in return we kindly are moving to Barclays for Merchant and Business Banking - so they just lost nearly £1000 a month because of Security Metrics and the fact that HSBC are generally foreign call centres who can't help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.