|
Related Topics:
| PHP "security" issues on hosts - OK I'll try this a different way - do please let me know if there's a more group (re website hosting) to post this to! I'm just starting to learn PHP, but probably will be using 90% pre-coded - CMS, forums, mailing
Any Security issues with Shared Hosting Plans? - Anyone know of Security issues with Shared Hosting Plans? I know that they are not as contained as dedicated servers or virtual servers, but do the site admins. do a good job of keeping the other users of the machine out of your area? Thanks
noob - hosting: pre-sales Qs re PHP "security" issues - I really don't know what I'm talking about here, which I'm sure will become obvious. I'm just starting to learn PHP, but probably will be using 90% pre-coded - CMS, forums, mailing I'm looking for a good hosting company; I've..
Cross-browser CSS Bug - Hi there, I've been working on a web site, and am running into a css problem that I'm not quite sure how to solve. I have some windows that use absolute and the property to..
Looking for a good guestbook with cross platform - Hi, Can anyone recommend me a good free guestbook script that will work for various cross thanks
|
|
|
Next: Webmaster: Hii.. Friends
|
| Author |
Message |
External
Since: Feb 18, 2008
Posts: 8
|
(Msg. 1) Posted: Mon Feb 18, 2008 12:31 am
Post subject: PCI Security and cross-site scripting issues
Archived from groups: alt>www>webmaster (more info?)
|
|
|
Hey, I have a question regarding your experiences and expertise with
PCI(Payment Card Industry; Visa,MC) security. I am writing this
because I have been, as of late, struggling to get a web site
certified recently that has become non-compliant after having no
problems at all during the first two years or so since our shopping
cart was set up and a PCI solution (SecurityMetrics.com) was
implemented. several months ago our site started failing security
scans and the error message was threefold: Citrix, ClearTrust Server,
& ASP Portal are vulnerable to cross-site scripting. However my web
host (hostmysite.com) said that they run none of those three server
apps on their shared servers and essentially placed blame on the
coding of the website. SecurityMetrics believes that those three sever
apps are quite likely representations of the general problem, and that
the web site (on the server-side) is vulnerable to cross-site
scripting-and what is needed to do is "sanitize" potentially dangerous
characters "<>&;,etc." on the server. We use the latest version of
Comersus online shopping cart 7.095 and have modified it accordingly
to filter out the vagabond characters, many of which were filtered out
by default such as "<" and ">". Now, despite filtering out these
characters and following instructions supplied by both the security
compliance rep and the site host, I am still getting the same cross-
site scripting flags, which cause the security test to fail. What I
was wondering was if anyone had any advice out there who has toiled
with the same (or similar)issue and where you thought the problem may
be residing as well as the way to approach the problem and/or solve
it. The server is Microsoft IIS that has the latest version of of
ASP .NET on it. I don't have explicit reason to believe that the host
is dishonest with me about the state of the web server, but I admit I
have wondered whether they have been absolutely straight with me when
I have point blank asked them about the issue. Also, I know that these
security scanners quite often report theoretical or potential problems
on servers rather than actual ones-the scan lists the problems as
"warnings" rather than holes resident on the server. That is
discouraging since these couple of warnings are explicitly the reason
the scan is failing
and the site is no longer compliant. So, on that note, any help and
advice is greatly
appreciated. I thank you for your time.
-Mark |
|
| Back to top |
|
 | |
External
Since: Feb 18, 2008
Posts: 8
|
(Msg. 2) Posted: Mon Feb 18, 2008 3:39 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 18, 3:00 am, nos....DeleteThis@nospam.sss (John Dalberg) wrote:
> MarkB <reelm....DeleteThis@gmail.com> wrote:
> > Hey, I have a question regarding your experiences and expertise with
> > PCI(Payment Card Industry; Visa,MC) security. I am writing this
> > because I have been, as of late, struggling to get a web site
> > certified recently that has become non-compliant after having no
> > problems at all during the first two years or so since our shopping
> > cart was set up and a PCI solution (SecurityMetrics.com) was
> > implemented. several months ago our site started failing security
> > scans and the error message was threefold: Citrix, ClearTrust Server,
> > & ASP Portal are vulnerable to cross-site scripting. However my web
> > host (hostmysite.com) said that they run none of those three server
> > apps on their shared servers and essentially placed blame on the
> > coding of the website. SecurityMetrics believes that those three sever
> > apps are quite likely representations of the general problem, and that
> > the web site (on the server-side) is vulnerable to cross-site
> > scripting-and what is needed to do is "sanitize" potentially dangerous
> > characters "<>&;,etc." on the server. We use the latest version of
> > Comersus online shopping cart 7.095 and have modified it accordingly
> > to filter out the vagabond characters, many of which were filtered out
> > by default such as "<" and ">". Now, despite filtering out these
> > characters and following instructions supplied by both the security
> > compliance rep and the site host, I am still getting the same cross-
> > site scripting flags, which cause the security test to fail. What I
> > was wondering was if anyone had any advice out there who has toiled
> > with the same (or similar)issue and where you thought the problem may
> > be residing as well as the way to approach the problem and/or solve
> > it. The server is Microsoft IIS that has the latest version of of
> > ASP .NET on it. I don't have explicit reason to believe that the host
> > is dishonest with me about the state of the web server, but I admit I
> > have wondered whether they have been absolutely straight with me when
> > I have point blank asked them about the issue. Also, I know that these
> > security scanners quite often report theoretical or potential problems
> > on servers rather than actual ones-the scan lists the problems as
> > "warnings" rather than holes resident on the server. That is
> > discouraging since these couple of warnings are explicitly the reason
> > the scan is failing
> > and the site is no longer compliant. So, on that note, any help and
> > advice is greatly
> > appreciated. I thank you for your time.
> > -Mark
>
> Tell the security company running the scanners to provide real proof like
> which page has the security hole and to provide an example. Just telling
> you your site suffers from cross site scripting issues with no proof is
> weak. You can also go back to Comersus and relay to them what you heard and
> see what they say. Maybe you're running an old version. I know Comersus has
> been doing carts for many years so I am sure they have received security
> reports which they should have addresses.
>
> Also getting reports about apps which you do not use or run makes me wonder
> about the security company's competency. Can you use another company?
>
> John Dalberg- Hide quoted text -
>
> - Show quoted text -
Hi John, thanks for getting back with me. I appreciate it. The real
quandry is knowing who between the security company or my web host
isn't being totally honest with me. After I complained to the security
company (www.securitymetrics.com) twice via email, they finally
replied to my complaint and told me that the site was generally cross-
site scripting vulnerable. They gave me a couple of links which
pointed to directories on my website as follows:
http://www.<mydomain>.com/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=<SCRIPT>alert('Ritchie')</SCRIPT>&ClientDetection=ON
<http://www.<mydomain>.com/citrix/nfuse/default/login.asp?
NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=%3CSCRIPT%3Ealert
%28%27Ritchie%27%29%3C/SCRIPT%3E&ClientDetection=ON>
and they also say:
"the script that is entered is returned back in the headers of the
page,
specifically the Content-Location field, to correct the issue you
would
need to sanitize the Content-Location so that information is not
returned in clear text as it is entered."
(What they say is Greek to me)
They also say that those two links 'appear' to be causing the
vulnerability flags. When I go to the links above, my site shows up
without any images, and that doesn't really tell me or help me much.
As you will notice in the links, there is apparently a citrix folder
on the server, apparently apart from my comersus shopping cart folder.
So, that makes me wonder, is my host not being straight up with me or
is the error caused by some flaw in securitymetrics scan engine. I
don't know. I would change security services, if that is the problem.
The question I run into is, is hostmysite to blame or securitymetrics,
because the shopping cart is successful and we certainly want to keep
it. We will change what is necessary to become security compliant.
I run Comersus v. 7.095, which is just a hair off from being their
latest version (7.097) which was released at the end of January. Both
versions filter characters such as "<>". I have tested that out. The
Comersus people are helping me with modifying the script further to
filter out additional wildcard characters such as the comma,
semicolon, etc and I will be able to do that when they get back with
me today and then I will do yet another security scan and see what
happens. Funny, but I still have the impression that the test will
fail again.
If you can think of anything additional that would help out, thanks in
advance.
-Mark
PS. I will be away from my computer until this evening and I will
check and respond to any and all feedback. Thanks! |
|
| Back to top |
|
| |
External
Since: Jan 01, 2004
Posts: 187
|
(Msg. 3) Posted: Mon Feb 18, 2008 4:42 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On 18 Feb, 08:31, MarkB <reelm....RemoveThis@gmail.com> wrote:
> Hey, I have a question regarding your experiences and expertise with
> PCI(Payment Card Industry; Visa,MC) security. I am writing this
> because I have been, as of late, struggling to get a web site
> certified recently
There is no real "PCI certification" or official compliance checking.
If only there was! We'd have a few less problems from some of the
gross errors that are indeed out there.
Also the CISP standards talk very little about "web apps" as such and
are focussed far more on back-end DB issues. This is understandable
given their legacy and their core competencies, but it doesn't mean
the web server aspect can be ignored. Where they do state
requirements, it's in broad terms such as "Card numbers must be
encrypted", "Card numbers shouldn't be stored at all, unless needed
for repeat billing", "Repeat billing setup should be clearly flagged
to the customer" and "Don't even think about storing the CVV2". They
don't even specify algorithms or standards for encryption, or indicate
the benefits of PK for this rather than a symmetric key algorithm.
> our site started failing security
> scans and the error message was threefold: Citrix, ClearTrust Server,
> & ASP Portal are vulnerable to cross-site scripting.
You're going to have to ask the scanner what they're looking for and
what they've found. The implementation details of a scan just aren't
specified in this level of detail by the PCI people.
You may actually have a problem. You might even be in a state where
you really ought to be working rapidly to fix it and downing the site
in the meantime - that bad! I rather doubt though if you have a
problem that even flickers onto PCI's radar - just very few of them
do.
> many of which were filtered out by default such as "<" and ">".
I've never seen a site that filtered these characters _out_ and yet
_wasn't_ open to injection attacks. Don't filter the bad stuff out,
filter the good stuff in! Otherwise you're just forever playing catch-
up character by character through the Unicode set.
Without knowing just what is running on there, I couldn't comment in
any detail. However if you even have a Citrix directory accessible to
a web server, I'd be worried. If you have one that you didn't know
about, I'd regard the site as insecure simply because you no longer
know just what is running on your site. >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Nov 16, 2007
Posts: 32
|
(Msg. 4) Posted: Mon Feb 18, 2008 5:56 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
External
Since: Aug 20, 2006
Posts: 18
|
(Msg. 5) Posted: Mon Feb 18, 2008 7:04 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
MarkB <reelmark RemoveThis @gmail.com> wrote:
> Hey, I have a question regarding your experiences and expertise with
> PCI(Payment Card Industry; Visa,MC) security. I am writing this
> because I have been, as of late, struggling to get a web site
> certified recently that has become non-compliant after having no
> problems at all during the first two years or so since our shopping
> cart was set up and a PCI solution (SecurityMetrics.com) was
> implemented. several months ago our site started failing security
> scans and the error message was threefold: Citrix, ClearTrust Server,
> & ASP Portal are vulnerable to cross-site scripting. However my web
> host (hostmysite.com) said that they run none of those three server
> apps on their shared servers and essentially placed blame on the
> coding of the website. SecurityMetrics believes that those three sever
> apps are quite likely representations of the general problem, and that
> the web site (on the server-side) is vulnerable to cross-site
> scripting-and what is needed to do is "sanitize" potentially dangerous
> characters "<>&;,etc." on the server. We use the latest version of
> Comersus online shopping cart 7.095 and have modified it accordingly
> to filter out the vagabond characters, many of which were filtered out
> by default such as "<" and ">". Now, despite filtering out these
> characters and following instructions supplied by both the security
> compliance rep and the site host, I am still getting the same cross-
> site scripting flags, which cause the security test to fail. What I
> was wondering was if anyone had any advice out there who has toiled
> with the same (or similar)issue and where you thought the problem may
> be residing as well as the way to approach the problem and/or solve
> it. The server is Microsoft IIS that has the latest version of of
> ASP .NET on it. I don't have explicit reason to believe that the host
> is dishonest with me about the state of the web server, but I admit I
> have wondered whether they have been absolutely straight with me when
> I have point blank asked them about the issue. Also, I know that these
> security scanners quite often report theoretical or potential problems
> on servers rather than actual ones-the scan lists the problems as
> "warnings" rather than holes resident on the server. That is
> discouraging since these couple of warnings are explicitly the reason
> the scan is failing
> and the site is no longer compliant. So, on that note, any help and
> advice is greatly
> appreciated. I thank you for your time.
> -Mark
Tell the security company running the scanners to provide real proof like
which page has the security hole and to provide an example. Just telling
you your site suffers from cross site scripting issues with no proof is
weak. You can also go back to Comersus and relay to them what you heard and
see what they say. Maybe you're running an old version. I know Comersus has
been doing carts for many years so I am sure they have received security
reports which they should have addresses.
Also getting reports about apps which you do not use or run makes me wonder
about the security company's competency. Can you use another company?
John Dalberg >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Feb 18, 2008
Posts: 8
|
(Msg. 6) Posted: Tue Feb 19, 2008 1:23 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 18, 7:56 am, mynameisnobodyodys... DeleteThis @googlemail.com wrote:
> On Feb 18, 11:39 am, MarkB wrote:
>
> > After I complained to the security
> > company (www.securitymetrics.com) twice via email, they finally
> > replied to my complaint and told me that the site was generally cross-
> > site scripting vulnerable. They gave me a couple of links which
> > pointed to directories on my website
>
> Maybe have a look athttp://msdn2.microsoft.com/en-us/library/bb355989.aspx
> and athttp://msdn2.microsoft.com/en-us/library/ms998274.aspx
Thanks for the article recommendations. I have read the script
injection article in whole and it is very detailed. One of the
problems in dealing with my web host is in achieving the level of
control over the security of the website, as some IIS features are
tweakable in the control panel such as custom errors and the file
permissions. On the other hand I don't have access to other important
ones such as the web.config and the machine.config files which are
necessary in working with request validation on the server side. My
host's (hostmysite.com) official stance (when approached with the
problem) is that the error lies with my code and not their 'setup',
which is vague and not very helpful. What I am doing about it right
now is, specifically, what I can do and that is modifying the online
carts "RegEx" script to constrain input by users. I am also looking
into other ways to further secure the site. Those articles certainly
help there-thanks for that. We will see... >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Feb 18, 2008
Posts: 8
|
(Msg. 7) Posted: Tue Feb 19, 2008 1:42 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 18, 6:42 am, Andy Dingley <ding....DeleteThis@codesmiths.com> wrote:
> On 18 Feb, 08:31, MarkB <reelm....DeleteThis@gmail.com> wrote:
>
> > Hey, I have a question regarding your experiences and expertise with
> > PCI(Payment Card Industry; Visa,MC) security. I am writing this
> > because I have been, as of late, struggling to get a web site
> > certified recently
>
> There is no real "PCI certification" or official compliance checking.
> If only there was! We'd have a few less problems from some of the
> gross errors that are indeed out there.
>
Very good point, Andy. There seem to be a lot of companies that
provide 'PCI' compliance, but there doesn't seem to be any centralized
authority or standard for what composes of PCI compliance when
compared to the ISO and computer hardware such as CD-ROM's and DVD-ROM
devices-and even that was in debate for many years.
> Also the CISP standards talk very little about "web apps" as such and
> are focussed far more on back-end DB issues. This is understandable
> given their legacy and their core competencies, but it doesn't mean
> the web server aspect can be ignored. Where they do state
> requirements, it's in broad terms such as "Card numbers must be
> encrypted", "Card numbers shouldn't be stored at all, unless needed
> for repeat billing", "Repeat billing setup should be clearly flagged
> to the customer" and "Don't even think about storing the CVV2". They
> don't even specify algorithms or standards for encryption, or indicate
> the benefits of PK for this rather than a symmetric key algorithm.
>
I could certainly live with this as we do not store CC#'s, CVV2's,
everything is encrypted in the back end of the cart. We don't even
process credit cards online.
> > our site started failing security
> > scans and the error message was threefold: Citrix, ClearTrust Server,
> > & ASP Portal are vulnerable to cross-site scripting.
>
> You're going to have to ask the scanner what they're looking for and
> what they've found. The implementation details of a scan just aren't
> specified in this level of detail by the PCI people.
>
> You may actually have a problem. You might even be in a state where
> you really ought to be working rapidly to fix it and downing the site
> in the meantime - that bad! I rather doubt though if you have a
> problem that even flickers onto PCI's radar - just very few of them
> do.
>
> > many of which were filtered out by default such as "<" and ">".
>
> I've never seen a site that filtered these characters _out_ and yet
> _wasn't_ open to injection attacks. Don't filter the bad stuff out,
> filter the good stuff in! Otherwise you're just forever playing catch-
> up character by character through the Unicode set.
>
> Without knowing just what is running on there, I couldn't comment in
> any detail. However if you even have a Citrix directory accessible to
> a web server, I'd be worried. If you have one that you didn't know
> about, I'd regard the site as insecure simply because you no longer
> know just what is running on your site.
My web host ensures that I don't have Citrix on my server although the
link that the security company provided showed one, however they
admitted that this may be a representation rather than a reality. So,
who to believe, what to do next (outside of sanitize and filtering in
of the cart script that I do have access to), and not the web.config &
machine.config that I don't have access to, I am not sure at this
moment. We will see...
Thanks for you help though. I do appreciate it.
-Mark >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Nov 16, 2007
Posts: 32
|
(Msg. 8) Posted: Tue Feb 19, 2008 2:52 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 19, 9:42 am, MarkB wrote:
> My web host ensures that I don't have Citrix on my server although the
> link that the security company provided showed one, however they
> admitted that this may be a representation rather than a reality.
> -Mark
Did you look at the header of the HTTP response for those links?
What is the HTTP response status? >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Jan 01, 2004
Posts: 187
|
(Msg. 9) Posted: Tue Feb 19, 2008 8:03 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On 19 Feb, 09:42, MarkB <reelm....RemoveThis@gmail.com> wrote:
> I could certainly live with this as we do not store CC#'s, CVV2's,
> everything is encrypted in the back end of the cart. We don't even
> process credit cards online.
If you don't process cards online, then you're presumably storing them
somewhere until they do get processed. I hope that "somewhere" is
secure. Making it a physically separate machine isn't unreasonable.
This temporary cache of as-yet unprocessed CC details is a _hot_
target for CC thieves. Particularly so if there are CVV2s in there
too.
> My web host ensures that I don't have Citrix on my server
How do you knwo that they're competent to state that?
You do appear to have a "Citrix" directory. It arrived by some means,
most likely by having some piece of Citrix installed at some past
time. It's in the nature of undead Windows zombieware that it refuses
to die! Even if you "uninstall" many pats of Windows software it
doesn't remove the entire backend. They aren't running, but they're
still present. It's possible to activate some of these afterwards,
even though Windows Control Panel or similar click-and-drool tools
will claim it's no longer installed. In particular, some COM
components live around afterwards un-noticed, yet a hacker who knows
their CLSID can quite easily re-activate them.
> link that the security company provided showed one, however they
> admitted that this may be a representation rather than a reality.
I find this rather hard to credit. WTF are they actually telling you,
and how much of it's to be believed? Are you paying these guys? >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Feb 18, 2008
Posts: 8
|
(Msg. 10) Posted: Wed Feb 20, 2008 2:12 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 19, 4:52 am, mynameisnobodyodys... RemoveThis @googlemail.com wrote:
> On Feb 19, 9:42 am, MarkB wrote:
>
> > My web host ensures that I don't have Citrix on my server although the
> > link that the security company provided showed one, however they
> > admitted that this may be a representation rather than a reality.
> > -Mark
>
> Did you look at the header of the HTTP response for those links?
> What is the HTTP response status?
Here they are. I have replaced my actual domain name with <mydomain>
below for both of the links.
HTTP/1.1 200 OK
Content-Length: 27760
Content-Type: text/html
Content-Location:
http://<mydomain>/Index.html?404;http://<mydomain>:80/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=<SCRIPT>alert(Ritchie)</SCRIPT>&ClientDetection=ON
Last-Modified: Sun, 27 Jan 2008 09:29:54 GMT
Accept-Ranges: bytes
ETag: "bf8bb82cc760c81:43d"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Wed, 20 Feb 2008 10:01:47 GMT
Connection: close
HTTP/1.1 200 OK
Content-Length: 27760
Content-Type: text/html
Content-Location:
http://<mydomain>:80/Index.html?404;http:<mydomain>:80/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=%3CSCRIPT%3Ealert%28%27Ritchie%27%29%3C/SCRIPT%3E&ClientDetection=ON
Last-Modified: Sun, 27 Jan 2008 09:29:54 GMT
Accept-Ranges: bytes
ETag: "bf8bb82cc760c81:43d"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Wed, 20 Feb 2008 10:08:08 GMT
Connection: close >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Feb 18, 2008
Posts: 8
|
(Msg. 11) Posted: Wed Feb 20, 2008 2:36 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 19, 10:03 am, Andy Dingley <ding....RemoveThis@codesmiths.com> wrote:
> On 19 Feb, 09:42, MarkB <reelm....RemoveThis@gmail.com> wrote:
>
> > I could certainly live with this as we do not store CC#'s, CVV2's,
> > everything is encrypted in the back end of the cart. We don't even
> > process credit cards online.
>
> If you don't process cards online, then you're presumably storing them
> somewhere until they do get processed. I hope that "somewhere" is
> secure. Making it a physically separate machine isn't unreasonable.
>
Normally, an email alert is sent that there is an order in the back
end. The order data is retrieved & the order is deleted from the
server. Right now, we are not accepting CC orders.
> This temporary cache of as-yet unprocessed CC details is a _hot_
> target for CC thieves. Particularly so if there are CVV2s in there
> too.
>
> > My web host ensures that I don't have Citrix on my server
>
> How do you knwo that they're competent to state that?
>
That is definitely a problem. I don't know if they are being totally
honest with me. They may be in denial that they have traces of citrix
on their server -or- the SecurityMetrics scanner may have made an
error. Hostmysite may not realize they have traces of citrix on their
server. The problem is in discovering where the issue resides. Both
delegate blame to the coding (of my website) that accepts user input
(my shopping cart only), but I have tweaked it to the max regarding
XSS issues. I really doubt that is the problem, although I have ruled
nothing out.
> You do appear to have a "Citrix" directory. It arrived by some means,
> most likely by having some piece of Citrix installed at some past
> time. It's in the nature of undead Windows zombieware that it refuses
> to die! Even if you "uninstall" many pats of Windows software it
> doesn't remove the entire backend. They aren't running, but they're
> still present. It's possible to activate some of these afterwards,
> even though Windows Control Panel or similar click-and-drool tools
> will claim it's no longer installed. In particular, some COM
> components live around afterwards un-noticed, yet a hacker who knows
> their CLSID can quite easily re-activate them.
>
> > link that the security company provided showed one, however they
> > admitted that this may be a representation rather than a reality.
>
> I find this rather hard to credit. WTF are they actually telling you,
> and how much of it's to be believed? Are you paying these guys?
Unfortunately, we are, but there is about to be a shake-up with both
parties involved if they maintain their stance after all else is
factored out. I hope to know more very shortly...
Thanks! >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Nov 16, 2007
Posts: 32
|
(Msg. 12) Posted: Wed Feb 20, 2008 4:00 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 20, 10:12 am, MarkB wrote:
> Here they are. I have replaced my actual domain name with <mydomain>
> below for both of the links.
The HTTP status response for the links is 200 (OK),
you need HTTP status response 404 (Not Found)
if those URLs do not exist on your site.
Can you check if you get similar headers for HTTP response
for URLs from your site that do not exist
like yourdomain.com/zwyxtest.html
If you have similar header response for a URL like that,
with Content-Location
http://<yourdomain>:80/Index.html?404;http:<mydomain>:80/zwyxtest.html
it means that your site does not respond with
HTTP status response 404 (Not Found) to inexistent URLs.
If this is so, then you have to change the setup
for your site in order to return
HTTP status response 404 (Not Found)
for non-existent URLs. >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Feb 18, 2008
Posts: 8
|
(Msg. 13) Posted: Thu Feb 21, 2008 2:01 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 20, 6:00 am, mynameisnobodyodys....RemoveThis@googlemail.com wrote:
> On Feb 20, 10:12 am, MarkB wrote:
>
> > Here they are. I have replaced my actual domain name with <mydomain>
> > below for both of the links.
>
> The HTTP status response for the links is 200 (OK),
> you need HTTP status response 404 (Not Found)
> if those URLs do not exist on your site.
> Can you check if you get similar headers for HTTP response
> for URLs from your site that do not exist
> like yourdomain.com/zwyxtest.html
> If you have similar header response for a URL like that,
> with Content-Location
> http://<yourdomain>:80/Index.html?404;http:<mydomain>:80/zwyxtest.html
> it means that your site does not respond with
> HTTP status response 404 (Not Found) to inexistent URLs.
>
> If this is so, then you have to change the setup
> for your site in order to return
> HTTP status response 404 (Not Found)
> for non-existent URLs.
Eureka! That's it! Error-handling was the problem. The security scan
was getting the 200 response for the Citrix folder causing it to think
that it exists. The IIS error handling profile was redacted to
default, now they return 404's for those folders and the site has
passed a prelimary scan w/o any warnings. THe regular scan is running
now and I expect it to pass. So, my web host didn't have the XSS
vulnerabilities as feared. I admit I am not a web server or security
guru, however, if my host troubleshooted w/ me for just a short while,
it could have been solved w/o blaming my web site and sending me on a
wild goose chase trying to 'sanitize' my code. Thank you so much for
your help! Problem solved!
-MarkB >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Feb 18, 2008
Posts: 8
|
(Msg. 14) Posted: Thu Feb 21, 2008 3:05 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 20, 6:00 am, mynameisnobodyodys....RemoveThis@googlemail.com wrote:
> On Feb 20, 10:12 am, MarkB wrote:
>
> > Here they are. I have replaced my actual domain name with <mydomain>
> > below for both of the links.
>
> The HTTP status response for the links is 200 (OK),
> you need HTTP status response 404 (Not Found)
> if those URLs do not exist on your site.
> Can you check if you get similar headers for HTTP response
> for URLs from your site that do not exist
> like yourdomain.com/zwyxtest.html
> If you have similar header response for a URL like that,
> with Content-Location
> http://<yourdomain>:80/Index.html?404;http:<mydomain>:80/zwyxtest.html
> it means that your site does not respond with
> HTTP status response 404 (Not Found) to inexistent URLs.
>
> If this is so, then you have to change the setup
> for your site in order to return
> HTTP status response 404 (Not Found)
> for non-existent URLs.
When I expected the SecurityMetrics test to pass, I expected too
much...
The Citrix errors are fixed now, but it is now failing because it is
reporting that IIS "SEEMS" to running at Service Pack 1 on the server,
but the test "cannot be sure". It penalizes me by failing the test,
but lists the "Risk Factor" as "none" & that "the test cannot be
totally reliable". Unbelievable... The test determines the patch level
by analyzing the (you guessed it) "404 error message". Here is what it
is telling me:
"The remote web server is running Microsoft IIS. Description : The
Patch level (Service Pack) of the remote IIS server appears to be
lower than the current IIS service pack level. As each service pack
typically contains many security patches, the server may be at risk.
Note that this test makes assumptions of the remote patch level based
on static return values (Content-Length) within a IIS Server's 404
error message. As such, the test can not be totally reliable and
should be manually confirmed. Note also that, to determine IIS6 patch
levels, a simple test is done based on strict RFC 2616 compliance. It
appears as if IIS6-SP1 will accept CR as an end-of-line marker instead
of both CR and LF. Solution: Ensure that the server is running the
latest stable Service Pack. Risk Factor: None Plugin output : The
remote IIS server *seems* to be Microsoft IIS 6.0 - SP1"
Hmmm...... >> Stay informed about: PCI Security and cross-site scripting issues |
|
| Back to top |
|
| |
External
Since: Oct 17, 2006
Posts: 65
|
(Msg. 15) Posted: Thu Feb 21, 2008 7:35 am
Post subject: Re: PCI Security and cross-site scripting issues [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
|
FAQ
Search
Profile
Private Messages
Log in/Register/Password
