PCI Compliance Status

Discussion in 'General' started by nhybgtvfr, Apr 1, 2019.

  1. nhybgtvfr

    nhybgtvfr Active Member

    ubuntu 18.04. ispconfig 3.1.13 multiserver.

    we have a client who is trying to get PCI Compliance.
    he takes card payments using paypal, the checkout process redirects the user to paypals own site to take payments, no card details are stored on our server. due to this, I believe he is already PCI Compliant.

    he has been told however that he will be blocked from taking card payments unless his website is tested as fully PCI compliant.
    to this end, a security firm has been running compliance tests against one of our servers, and have come with a few issues on which it fails.
    (phpmyadmin version less than 4.8.3 etc. their ip getting blocked during port scanning etc. mostly easy fixes.) apart from one.

    our server fails pci compliance due to the jquery version. the full failure details are:

    JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS
    PCI COMPLIANCE STATUS
    PCI Severity Level: MED
    FAIL
    VULNERABILITY DETAILS
    CVSS Base Score: 4.3
    ID 12707722
    Category: CGI abuses: XSS
    CVE ID: CVE-2015-9251
    THREAT:
    The remove web server is affected by a cross site scripting vulnerability.
    IMPACT:
    According to the self-reported version in the script, the version of JQuery hosted on the remote web server is 1.x prior to 1.12.0 or 2.x prior to 2.2.0. It is, therefore,
    affected by a cross site scripting vulnerability when using location.host to select elements.
    SOLUTION:
    Upgrade to JQuery version 1.12.0 or later.
    RESULT:
    URL: https://********:8080/js/jquery.min.js
    Installed version : 2.1.3
    Fixed version : 2.2.0


    so my question are how easy is it to change the jquery that ispconfig uses? what problems will it cause?
    and, assuming it won't cause massive problems, exactly how would i change it?

    would be nice to get the server verified as PCI compliant anyway, and if i can get it done, i can create an article on what changes had to be made after following the perfect server tutorials to achieve compliance, as i'm sure i'm not the only one who'd want that.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you should be able to drop in a new version by replacing that file. ISPConfig does not use location.host to select elements, so it is not affected by that problem, but I will look into that to update the lib in the stable branch as well.

    That would be great!
     
  3. nhybgtvfr

    nhybgtvfr Active Member

    when you say replace that file, do you mean literally download the latest version (http://code.jquery.com/jquery-2.2.4.min.js)
    rename it to jquery.min.js and overwrite the existing file in /usr/local/ispconfig/interface/web/js/ ?

    just want to make absolutely 100% sure, not messed about with jquery at all before and don't want to fubar my server. ;)
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, that's what I would try. Just rename the old one and drop in the new one, if it does not work, then just copy the old one back. We don't use any fancy things from jquery, so I guess it should be ok to just drop in the newer version.
     
    ganewbie likes this.
  5. nhybgtvfr

    nhybgtvfr Active Member

    ok. I've done that, and everything looks ok so far, not noticed anything strange yet, no errors showing up.

    hopefully, the only remaining issue blocking PCI compliance is a weak sha-1 algo used to sign the Digicert_Global_Root_CA certificate.
    but can't seem to find a newer version of it. latest one I can find on their website is the same one installed on our server.
     
    Ed Cates and till like this.
  6. nhybgtvfr

    nhybgtvfr Active Member

    just to update on this, I believe the certificate issue is fixed now, but there was an issue with phpmyadmin XSS vulnerability in cgi scripts. even with the latest version 4.8.5, only shows up on port 80 and 443 though, not 8080, which is unexpected.
    since finding that though, i've made some changes that hopefully fix that, but I've been unable to get new scan reports though, I've requested several times but no reply, i'll keep trying.
    their best suggestion so far is remove phpmyadmin, which is not really a viable option. and other companies seem to have solved the issue, I know krystal hosting provide phpmyadmin and claim 100% pci compliance. I've also installed net2ftp on the server since the last scan, so hoping that doesn't create any new issues.

    still plan to create an article on it if I can actually get a response and confirm the servers pci compliance.
     
    till likes this.
  7. nhybgtvfr

    nhybgtvfr Active Member

    ok, I've finally got a report back for a new pci scan.
    phpmyadmin got the all clear, although i'd changed the path to /dbadmin, I've changed it back again now and am waiting to find out that /phpmyadmin isn't something they generally just reject.

    one thing still getting flagged up as a fail is the / folder being browsable on port 8081, which has the vhost conf below.

    now I've removed mod_php from apache anyway, so it those sections shouldn't matter, but to make sure,

    am I ok to change the lines:
    Options FollowSymLinks
    to
    Options +FollowSymLinks -Indexes

    and
    Options +Indexes +FollowSymLinks +MultiViews +ExecCGI

    AllowOverride AuthConfig Indexes Limit Options FileInfo

    to
    Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
    AllowOverride AuthConfig Limit Options FileInfo


    obviously i'd need to change it by copying /usr/local/ispconfig/server/conf/apache_apps.vhost.master to ../conf-custom and editing that.
    just want to make sure that nothing anywhere else expects to be able to browse/list the folder and breaks if I make this change.

    Code:
      <IfModule mod_php5.c>
        DocumentRoot /var/www/apps
        AddType application/x-httpd-php .php
        <Directory /var/www/apps>
                    Options FollowSymLinks
                    AllowOverride None
                                    Require all granted
                        </Directory>
      </IfModule>
    
      <IfModule mod_php7.c>
        DocumentRoot /var/www/apps
        AddType application/x-httpd-php .php
        <Directory /var/www/apps>
                    Options FollowSymLinks
                    AllowOverride None
                                    Require all granted
                        </Directory>
      </IfModule>
    
      <IfModule mod_fcgid.c>
        DocumentRoot /var/www/apps
        SuexecUserGroup ispapps ispapps
        <Directory /var/www/apps>
                    Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
                    AllowOverride AuthConfig Indexes Limit Options FileInfo
                    <FilesMatch "\.php$">
                            SetHandler fcgid-script
                    </FilesMatch>
                    FCGIWrapper /var/www/php-fcgi-scripts/apps/.php-fcgi-starter .php
                                    Require all granted
                        </Directory>
      </IfModule>
    
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The changes should be fine.
     
  9. nhybgtvfr

    nhybgtvfr Active Member

    just to update on this, our configuration is based on the ubuntu 18.04 perfect server tutorial. there are a number of changes applied beyond the tutorial, a lot of which are irrelevant to pci compliance, but some which do affect it. there are also still some issues. eg net2ftp will not pass pci compliance, so is disabled for now. and it seems that even the latest phpmyadmin 4.8.5 will fail when on /phpmyadmin, but passes when on eg /dbadmin. but the server has now successfully passed PCI compliance testing.
    i'll try to collate all the changes i made beyond the tutorials and then the changes to get it compliant and get it all together as an article over the next couple of days.
     
    till likes this.
  10. mccharlet

    mccharlet Member HowtoForge Supporter

    Hi,
    With paypal, you are using hosted payment page and in this case our infrastructure does't need PCi compliance.

    But your need your infrastructure and and software are up to date

    Best regards
     

Share This Page