mhsuffolk Posted November 15, 2018 Share Posted November 15, 2018 CE Frozen on PHP 7.2 I have just had a PCI scan by Security Metrics. It has identified four main issues. I feel that items 1 to 3 are an issue with my host but I think 4 may be OSC. May I have a second opinion please before I contact my hosting company. 1. ISC BIND 9.x.x < 9.9.10-P1 / 9.10.x < 9.10.5-P1 / 9.11.x < 9.11.1-P1 Multiple Vulnerabilities Resolution: Upgrade to ISC BIND version 9.9.10-P1 / 9.9.10-S2 / 9.10.5-P1 / 9.10.5- S2 / 9.11.1-P1 or later. Note that BIND 9 versions 9.9.10-S2 and 9.10.5- S2 are available exclusively for eligible ISC Support customers. Data Received: Installed version : 9.9.4-RedHat-9.9.4-61.el7_5.1 Fixed version : 9.9.10-P1 ------------------------------------------------------------------- 2. TLS Version 1.0 Protocol Detection (PCI DSS) Resolution: All processing and third party entities - including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018. Data Received: TLSv1 is enabled on port 2087 and the server supports at least one cipher. (Note, the server has TLS 1.2 and Stripe , which will only work with 1.2, is fine but both 1.0 and 1.1 are also listed in server info. ------------------------------------------------------------------------ 3. Weak DH Key Exchange Supported (PCI DSS) Resolution: Consult the software's manual and reconfigure the service to use at least 2048-bit DH parameters. Alternatively, disable DH and use only Ellipticcurve Diffie-Hellman (ECDH) instead. --------------------------------------------------------------------------- 4. Web Application Potentially Vulnerable to Clickjacking Resolution: Return the X-Frame-Options or Content-Security-Policy (with the 'frameancestors' directive) HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags. Data Received: The following pages do not use a clickjacking mitigation response header and contain a clickable event. Followed by a long list of affected pages encompassing several products, categories and even login.php but by no means all my products. Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
Jack_mcs Posted November 15, 2018 Share Posted November 15, 2018 Yes, 1 and 3 are host issues. #2 is probably a host issue to. You can check your site here to see what it shows for TIS. For #4, there are only a few files that use iframes in the basic code though one of those might be a jquery file so that could explain all of the pages listed. Or maybe you have addons or code changes that use them. This page may help pass the scan. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
mhsuffolk Posted November 15, 2018 Author Share Posted November 15, 2018 I have had a read and cannot decide where the remedy should go. Can something be added to template_top.php so the whole site is covered? Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
Jack_mcs Posted November 15, 2018 Share Posted November 15, 2018 If you are referring to the section "Best-for-now Legacy Browser Frame Breaking Script", you can put the first part in the template_top file and the second part in the footer or application_bottom file. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
mhsuffolk Posted November 15, 2018 Author Share Posted November 15, 2018 Thanks for that. I have also found this on developer.mozilla.org. Could it be used in template_top? "To configure IIS to send the X-Frame-Options header, add this to your site's Web.config file: " <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="sameorigin" /> </customHeaders> </httpProtocol> ... </system.webServer> Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
MrPhil Posted November 15, 2018 Share Posted November 15, 2018 Are you sure that's not intended to go in the .htaccess file? You might want to check that first. I've never heard of it referred to as "Web.config". Maybe it's a configuration file unique to IIS? If you're using IIS, it should be easy enough to check. Otherwise, ignore it. Regarding your TLS 1.0, you should remind your host that 1.0 and 1.1 are quite insecure, and they should be at 1.2 soon. Also, the major browser makers (Mozilla, Microsoft, Google) have announced that they will drop browser support in the spring of 2020 for TLS 1.0 and 1.1, so hosts should be planning to upgrade before long. Link to comment Share on other sites More sharing options...
mhsuffolk Posted November 15, 2018 Author Share Posted November 15, 2018 3 minutes ago, MrPhil said: Regarding your TLS 1.0, you should remind your host that 1.0 and 1.1 are quite insecure, and they should be at 1.2 soon. What confuses me is that they have 1.2 but 1.0 and 1.1 are still listed in server info. When I run a test in ssllabs only 1.2 is detected but Security metrics detected all 3 versions Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
mhsuffolk Posted November 15, 2018 Author Share Posted November 15, 2018 13 minutes ago, MrPhil said: Are you sure that's not intended to go in the .htaccess file? You are correct, it was for IIS. Is this for linux .htaccess? ------------------------------------------------------------------- To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration: add_header X-Frame-Options sameorigin; Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
MrPhil Posted November 15, 2018 Share Posted November 15, 2018 Apparently the security scan thinks that there's a chance that 1.0 or 1.1 might end up being used as fallbacks by back-level browsers that don't support 1.2. That's my guess as to why they would flag it. Anyway, you might bring this to the attention of your host and discuss whether it's worth suppressing fallback to 1.0 or 1.1 (I think it can be done, but what's involved, I don't know). Any customer with an old browser that doesn't support TLS 1.2 would be out of luck. You might want to check browser histories and usage statistics, to see how many customers might potentially be affected. Link to comment Share on other sites More sharing options...
MrPhil Posted November 15, 2018 Share Posted November 15, 2018 I don't know if nginx uses .htaccess. It's yet another server (technically, Apache is your server, not Linux, which is the operating system of the server machine -- yes, "server" is ambiguous). Apache runs on a variety of operating systems, including Windows, Mac, and Linux, and maybe others. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.