Portland Web Development™

There are several great rants out there and I will not attempt to top them but in short, PCI Compliance is a scam by the credit card companies to boost the image/price of thier “Secure Seal” that you put on your site stating that the transaction you are about to make is secure. That is laughable when the payment processing companies THEMSELVES are being hacked EASILY because THEY DON’T USE ENCRYPTION! Man this angers me.  Just read it for yourself:  http://redtape.msnbc.com/2009/01/credit-card-hac.html

Anyway, I have listed the PCI Compliance issues I’ve seen and have simple solutions for them. Some of them you can just talk your way out of by submitting a false positive with an answer they can’t really deny or confirm.  Examples given below:

#1  Security warning found on port/service “http (80/tcp)”

Plugin “http TRACE XSS attack”
Category “CGI abuses : XSS”
Priority Ranking “Medium Priority” Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for “Cross-Site Tracing”, when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials.

A: Place this code in any htaccess folder in any directory that has one and have the Compliance test tell you it’s resolved, then the next time you run it, it’ll tell you it’s back.
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

# 2 Security warning found on port/service “https (443/tcp)”

Plugin “Weak Supported SSL Ciphers Suites”
Category “General remote services (General)”
Priority Ranking “Medium Priority” Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

A: Unfortunately this one needs to be solved by your host.

#3 Security warning found on port/service “ftp (21/tcp)”

Plugin “ProFTPD Command Truncation Cross-Site Request Forgery Vulnerability”
Category “File Transfer Protocol”
Priority Ranking “Medium Priority” Synopsis : The remote FTP server is prone to a cross-site request forgery attack. Description : The remote host is using ProFTPD, a free FTP server for Unix and Linux. The version of ProFTPD running on the remote host splits an overly long FTP command into a series of shorter ones and executes each in turn. If an attacker can trick a ProFTPD administrator into accessing a specially-formatted HTML link, he may be able to cause arbitrary FTP commands to be executed in the context of the affected application with the administrator’s privileges.

A: Simply explain that a your software is up to date and that a patch has been applied in your false positive submission.  I’ve never believed in lying but when someone is trying to bamboozle you, fight fire with fire.  I suppose it would be just as easy to update your version also.

#4 Security warning found on port/service “https (443/tcp)”

Plugin “Weak Supported SSL Ciphers Suites”
Category “General remote services (General)”
Priority Ranking “Medium Priority” Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

#5 All other unescaped veriable problems.
A: I have found that most variable issues are midigated by using the mysql_real_escape_string function.  Basically, the way to beat these Input/Output “hacks” is to make sure that a user can not produce an error from your site by entering strange data. This DOES NOT mean a site’s customer or Credit Card infomation is vulnerable.

Cheers!

This entry was posted on Monday, February 2nd, 2009 at 1:00 pm and is filed under Code Examples. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.