Jump to content

CubeCart 4 Problem or Web Hosting/Server Problem?


UGAChance

Recommended Posts

The report took 2.26 hours to complete and Cube Cart passed a bunch of tests. Here is the report that I got back from Security Metrics for PCI Compliance.... I know issue 1 and 2 are a web hosting/server problem, but does anyone know if 3 and 4 are MySQL problems or a CubeCart 4 problem?

https://www.securitymetrics.com/

Executive Summary

Test Result: Fail Date: 2011-05-23 Target IP: ###.###.###.###

Test ID: 2819189 Test Length: 2.26 Hours DNS Entry: www.#######.com

Total Risk: 18 Start Time: 08:55:47 Finish Time: 11:11:40

TCP/IP Fingerprint OS Estimate: Linux Scan Expiration: 2011-08-21

SecurityMetrics has determined that ########### is NOT COMPLIANT with the PCI scan validation requirement for this computer. The computer fails because a risk of 4 or more was found. You may not use the Security Tested logo until the computer passes. Look in the Security Vulnerabilities section below for instructions to reduce your security risk.

Security Vulnerabilities

Protocol Port Program Risk

TCP 443 https 5

Synopsis : The configuration of PHP on the remote host allows disclosure of sensitive information. Description : The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such an URL triggers an Easter egg built into PHP itself. Other such Easter eggs likely exist, but SMetrics has not checked for them. See also : http://www.0php.com/php_easter_egg.php http://seclists.org/webappsec/2004/q4/32 4 Solution: In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : OSVDB:12184 [More]

[Hide]

TCP 80 http 5

Synopsis : The configuration of PHP on the remote host allows disclosure of sensitive information. Description : The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such an URL triggers an Easter egg built into PHP itself. Other such Easter eggs likely exist, but SMetrics has not checked for them. See also : http://www.0php.com/php_easter_egg.php http://seclists.org/webappsec/2004/q4/32 4 Solution: In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : OSVDB:12184 [More]

[Hide]

TCP http/https 4

Possible blind sql injection on http://www.cccoinsatlanta.com/index.php? searchStr=&_a=viewCat&Submit=Go wp --bsql "http://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go" style="display: none;"> "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go" "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go" cat <<EOF > bsql.sh curl -L "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go"> a curl -L "http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More]

[Hide]

TCP http/https 4

Possible blind sql injection on http://www.cccoinsatlanta.com/index.php? _a=viewProd&productId=1059 wp --bsql "http://www.cccoinsatlanta.com/index.php?_a=viewProd&productId=1059" style="display: none;"> "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D1&productId=1059" "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D0&productId=1059" cat <<EOF > bsql.sh curl -L "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D1&productId=1059"> a curl -L "http://www.cccoinsatlanta.com/index.php?_a=viewProd+and+1%3D0&productId=1059"> b diff a b EOF sh bsql.sh This website may have other injection related vulnerabilities. [More]

[Hide]

Link to comment
Share on other sites

This is what I got back from IPower... so the second 2 may be a problem with Cube Cart.

Comment: Hello,

I'm sorry. I accidentally sent that before I meant to. For the first two complaints. The solution is to set expose_php to Off in your php.ini, you can do this from your control panel by clicking on CGI and Scripted Language Support, then on PHP Scripting, and making the edits on the following page.

The second to complaints are that the application that you are using has Cross Site scripting vulnerabilities. I see that you are using Cube Cart, you will need upgrade to the latest version of Cube Cart, and then contact their support team if there are still reported cross site scripting vulnerabilities.

Regards,

Robert R

Support

Link to comment
Share on other sites

Guest discoworld

I know this won't help much, but we have had an absolute nightmare wth Security Metrics and PCI DSS compliance. The end result was that CC4 was fine, but my host company where using a version of MySQL that didn't pass - but this is a large host that won't change and doesn't feel the need to. In fact to start with Security Metrics where saying we should move to a beta version of MySQL which our host found bizarre.

We then were informed that the only way to beat this was to move to a dedicated server.... not going to happen. So we are now changing gateway and card processor to resolve the problems.

Link to comment
Share on other sites

I just found out that my dad went ahead and paid for a Dedicated Server... something like $1000/year. It was going to be $60/month for a small website and $80/month for a big website. My dad paid for big just because of better Control Panel or something. Now I have the power to upgrade stuff, reboot the server, and stuff like that.

Problem solved.

Link to comment
Share on other sites

Guest discoworld

Let us know if security metrics then pass your website with the dedicated server ? I am curious as this is a possible route for us

Link to comment
Share on other sites

Let us know if security metrics then pass your website with the dedicated server ? I am curious as this is a possible route for us

Just taking a dedicated server will not fix any of these points although as it is "your" server then you can at least make the changes that you want. However, unless you are a Linux expert or pay for managed support (where you will still need to know *what* to ask to be changed or configured on your server) then you are likely to have a lot more problems then being with a reputable hosting company who *should* know how to set a server up. I say *should*, as there are so many hosting companies out there that dont know.

The first two points (which are essentially the same point anyway) are completely pointless. Their reason for reporting this is that it reveals that the server is running php - the additional code that is added to cause this problem can only be added to the end of a url that is a php page. The fact that you are adding it to a php page has already "revealed" that you are running php !!

You dont say what version of CubeCart and MySQL you are running and more importantly what if any mods you have installed (these are the most common cause of sql injection vulnerabilities) therefore there is not enough information to say what the problem is but it would be interesting to know what Al has to say about this IF you are running a recent version of CubeCart AND MySQL

Ian

Link to comment
Share on other sites

Is "&" a special character? It is missing in there.

Could this be the problem in index.php:

if(preg_match('#([a-z]{1,6})_([a-z0-9\+]+)\.?([a-z]+)?(\?.*)?$#i', $_SERVER['REQUEST_URI'], $matches)) {

Why doesn't CubeCart send all mysql string queries through:

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

http://us3.php.net/manual/en/function.mysql-real-escape-string.php

Link to comment
Share on other sites

Guest ashsinha

The payment is worthy if you're not quite familiar with the cubecart system. Generally speaking, cubecart is secure and "out of the box" powerful shopping cart as their website already said.

Link to comment
Share on other sites

I gave up on the VPS. IPower VPS Support was horrible and couldn't get the site working correctly. GD was installed but not working with PHP. They are expensive for VPS and not worth the hassle.

It was reporting 2 of the SQL Blind Injections before and now only 1... I think upgrading PHP to a newer version fixed that.

My plan is to try to fix this 1 bug and stay on the Shared Server. Otherwise I will goto another Linux VPS Company like InMotion, Host Gator, myhosting, or GoDaddy.

I will let you guys know if I get a fix.

Link to comment
Share on other sites

The payment is worthy if you're not quite familiar with the cubecart system. Generally speaking, cubecart is secure and "out of the box" powerful shopping cart as their website already said.

Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things.

I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help.

Link to comment
Share on other sites

The payment is worthy if you're not quite familiar with the cubecart system. Generally speaking, cubecart is secure and "out of the box" powerful shopping cart as their website already said.

Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things.

I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help.

As discoworld mentioned a while back, your best bet is to not use Security Metrics for your PCI compliance ! You dont say what payment gateway you are using and what level of PCI compliance you are trying to obtain but unless the gateway is something unusual or you are looking to get a higher than normal compliance on a shared hosting server, the problem is not CubeCart, php or MySQL - it is Security Metrics themselves. We host a large number of CubeCart sites for ourselves and for clients across a range of shared hosting and dedicated servers and nobody has ever had a problem getting PCI compliance

Ian

Link to comment
Share on other sites

The payment is worthy if you're not quite familiar with the cubecart system. Generally speaking, cubecart is secure and "out of the box" powerful shopping cart as their website already said.

Yes. I think so too. Just need PHP and MySQL updated. They may have added protection at that level. The code might still be bad, but PHP and/or MySQL might have checks/fixes now for certain things.

I am not bashing CubeCart. I have had it since CubeCart 2. I am just looking for anyone's info that can help.

As discoworld mentioned a while back, your best bet is to not use Security Metrics for your PCI compliance ! You dont say what payment gateway you are using and what level of PCI compliance you are trying to obtain but unless the gateway is something unusual or you are looking to get a higher than normal compliance on a shared hosting server, the problem is not CubeCart, php or MySQL - it is Security Metrics themselves. We host a large number of CubeCart sites for ourselves and for clients across a range of shared hosting and dedicated servers and nobody has ever had a problem getting PCI compliance

Ian

I am not using Security Metrics by choice.

I am not sure which company intiated the Security Metrics PCI Compliance test. It is my dad's accounts... I am just playing webmaster since I am a Senior Software Engineer in C/C++ Embedded Application Software.... not a web designer by day, but know enough to do what I need to. I have to have it pass Security Metrics PCI Compliance through Security Metrics. It was either GeoTrust(supllied SSL Cert) or FirstDatat(CC Transaction Company) that intiated the test. It is just like when a website is "VeriSign Verified." I need it to pass in order to post Verified Logo.

I ran a program Acunetix Web Vulnerability Scanner 7 and it came up with nothing, so it might be a false positive.

P.S. - I do not have SEO turned on... I wonder if the result might be different.

Link to comment
Share on other sites

httx://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go

http://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go

httx://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go%22%3Cspan

http://www.cccoinsatlanta.com/index.php?searchStr=&_a=viewCat&Submit=Go%22%3Cspan

httx://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go%22

http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go%22

httx://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go%22

http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go%22

httx://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go%22%3E

http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D1&_a=viewCat&Submit=Go%22%3E

httx://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go%22%3E

http://www.cccoinsatlanta.com/index.php?searchStr=+and+1%3D0&_a=viewCat&Submit=Go%22%3E

It is not sanitizing #4 and #6 that have "%3D0"

Link to comment
Share on other sites

Just an FYI for anybody following this. The results they list are False Positives. Note that they said "Possible blind sql injection". The fact is that the values entered were completely sanitized and therefore harmless. You must remember that these are AUTOMATED tests. Once reviewed by humans, they should be marked as false positives and retested. There is ZERO reason to move to a dedicated server or even VPS based on something so blindingly trivial.

:w00t:

Link to comment
Share on other sites

Guest discoworld

The thing is William - when you talk to them, it's a case of they are right and the rest of the world are wrong. HSBC forced us to use Security Metrics and in return we kindly are moving to Barclays for Merchant and Business Banking - so they just lost nearly £1000 a month because of Security Metrics and the fact that HSBC are generally foreign call centres who can't help.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...