Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PCI Report Shows Issues


mhsuffolk

Recommended Posts

CE Frozen on PHP 7.2

I have just had a PCI scan by Security Metrics. It has identified four main issues.

I feel that items 1 to 3 are an issue with my host but I think 4 may be OSC. May I have a second opinion please before I contact my hosting company.

1.  ISC BIND 9.x.x < 9.9.10-P1 / 9.10.x < 9.10.5-P1 / 9.11.x < 9.11.1-P1
Multiple Vulnerabilities

Resolution:
Upgrade to ISC BIND version 9.9.10-P1 / 9.9.10-S2 / 9.10.5-P1 / 9.10.5-
S2 / 9.11.1-P1 or later. Note that BIND 9 versions 9.9.10-S2 and 9.10.5-
S2 are available exclusively for eligible ISC Support customers.
Data Received:
Installed version : 9.9.4-RedHat-9.9.4-61.el7_5.1 Fixed version : 9.9.10-P1
-------------------------------------------------------------------
2.  TLS Version 1.0 Protocol Detection (PCI DSS)

Resolution:
All processing and third party entities - including Acquirers, Processors,
Gateways and Service Providers must provide a TLS 1.1 or greater
service offering by June 2016. All processing and third party entities
must cutover to a secure version of TLS (as defined by NIST) effective
June 2018.
Data Received:
TLSv1 is enabled on port 2087 and the server supports at least one
cipher.
(Note, the server has TLS 1.2 and Stripe , which will only work with 1.2, is fine but both 1.0 and 1.1 are also listed in server info.
------------------------------------------------------------------------
3.  Weak DH Key Exchange Supported (PCI DSS)

Resolution:
Consult the software's manual and reconfigure the service to use at least
2048-bit DH parameters. Alternatively, disable DH and use only Ellipticcurve
Diffie-Hellman (ECDH) instead.
---------------------------------------------------------------------------
4.  Web Application Potentially Vulnerable to Clickjacking

Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frameancestors'
directive) HTTP header with the page's response. This
prevents the page's content from being rendered by another site when
using the frame or iframe HTML tags.
Data Received:
The following pages do not use a clickjacking mitigation response
header and contain a clickable event.

Followed by a long list of affected pages encompassing several products, categories and even login.php but by no means all my products.

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

Yes, 1 and 3 are host issues. #2 is probably a host issue to. You can check your site here to see what it shows for TIS.  For #4, there are only a few files that use iframes in the basic code though one of those might be a jquery file so that could explain all of the pages listed. Or maybe you have addons or code changes that use them. This page may help pass the scan.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I have had a read and cannot decide where the remedy should go.

Can something be added to template_top.php so the whole site is covered?

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

If you are referring to the section "Best-for-now Legacy Browser Frame Breaking Script", you can put the first part in the template_top file and the second part in the footer or application_bottom file. 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Thanks for that.

I have also found this on developer.mozilla.org. Could it be used in template_top?

"To configure IIS to send the X-Frame-Options header, add this to your site's Web.config file: "

<system.webServer>
  ...

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="sameorigin" />
    </customHeaders>
  </httpProtocol>

  ...
</system.webServer>

 

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

Are you sure that's not intended to go in the .htaccess file? You might want to check that first. I've never heard of it referred to as "Web.config". Maybe it's a configuration file unique to IIS? If you're using IIS, it should be easy enough to check. Otherwise, ignore it.

Regarding your TLS 1.0, you should remind your host that 1.0 and 1.1 are quite insecure, and they should be at 1.2 soon. Also, the major browser makers (Mozilla, Microsoft, Google) have announced that they will drop browser support in the spring of 2020 for TLS 1.0 and 1.1, so hosts should be planning to upgrade before long.

Link to comment
Share on other sites

3 minutes ago, MrPhil said:

Regarding your TLS 1.0, you should remind your host that 1.0 and 1.1 are quite insecure, and they should be at 1.2 soon.

What confuses me is that they have 1.2 but 1.0 and 1.1 are still listed in server info. When I run a test in ssllabs only 1.2 is detected but Security metrics detected all 3 versions

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

13 minutes ago, MrPhil said:

Are you sure that's not intended to go in the .htaccess file?

You are correct, it was for IIS.

Is this for linux .htaccess?

-------------------------------------------------------------------

To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options sameorigin;

 

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

Apparently the security scan thinks that there's a chance that 1.0 or 1.1 might end up being used as fallbacks by back-level browsers that don't support 1.2. That's my guess as to why they would flag it. Anyway, you might bring this to the attention of your host and discuss whether it's worth suppressing fallback to 1.0 or 1.1 (I think it can be done, but what's involved, I don't know). Any customer with an old browser that doesn't support TLS 1.2 would be out of luck. You might want to check browser histories and usage statistics, to see how many customers might potentially be affected.

Link to comment
Share on other sites

I don't know if nginx uses .htaccess. It's yet another server (technically, Apache is your server, not Linux, which is the operating system of the server machine -- yes, "server" is ambiguous). Apache runs on a variety of operating systems, including Windows, Mac, and Linux, and maybe others.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...