Jump to content
Latest News: (loading..)
mhsuffolk

PCI Report Shows Issues

Recommended Posts

CE Frozen on PHP 7.2

I have just had a PCI scan by Security Metrics. It has identified four main issues.

I feel that items 1 to 3 are an issue with my host but I think 4 may be OSC. May I have a second opinion please before I contact my hosting company.

1.  ISC BIND 9.x.x < 9.9.10-P1 / 9.10.x < 9.10.5-P1 / 9.11.x < 9.11.1-P1
Multiple Vulnerabilities

Resolution:
Upgrade to ISC BIND version 9.9.10-P1 / 9.9.10-S2 / 9.10.5-P1 / 9.10.5-
S2 / 9.11.1-P1 or later. Note that BIND 9 versions 9.9.10-S2 and 9.10.5-
S2 are available exclusively for eligible ISC Support customers.
Data Received:
Installed version : 9.9.4-RedHat-9.9.4-61.el7_5.1 Fixed version : 9.9.10-P1
-------------------------------------------------------------------
2.  TLS Version 1.0 Protocol Detection (PCI DSS)

Resolution:
All processing and third party entities - including Acquirers, Processors,
Gateways and Service Providers must provide a TLS 1.1 or greater
service offering by June 2016. All processing and third party entities
must cutover to a secure version of TLS (as defined by NIST) effective
June 2018.
Data Received:
TLSv1 is enabled on port 2087 and the server supports at least one
cipher.
(Note, the server has TLS 1.2 and Stripe , which will only work with 1.2, is fine but both 1.0 and 1.1 are also listed in server info.
------------------------------------------------------------------------
3.  Weak DH Key Exchange Supported (PCI DSS)

Resolution:
Consult the software's manual and reconfigure the service to use at least
2048-bit DH parameters. Alternatively, disable DH and use only Ellipticcurve
Diffie-Hellman (ECDH) instead.
---------------------------------------------------------------------------
4.  Web Application Potentially Vulnerable to Clickjacking

Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frameancestors'
directive) HTTP header with the page's response. This
prevents the page's content from being rendered by another site when
using the frame or iframe HTML tags.
Data Received:
The following pages do not use a clickjacking mitigation response
header and contain a clickable event.

Followed by a long list of affected pages encompassing several products, categories and even login.php but by no means all my products.

Edited by mhsuffolk

OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve

Share this post


Link to post
Share on other sites

Yes, 1 and 3 are host issues. #2 is probably a host issue to. You can check your site here to see what it shows for TIS.  For #4, there are only a few files that use iframes in the basic code though one of those might be a jquery file so that could explain all of the pages listed. Or maybe you have addons or code changes that use them. This page may help pass the scan.

Share this post


Link to post
Share on other sites

I have had a read and cannot decide where the remedy should go.

Can something be added to template_top.php so the whole site is covered?


OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve

Share this post


Link to post
Share on other sites

If you are referring to the section "Best-for-now Legacy Browser Frame Breaking Script", you can put the first part in the template_top file and the second part in the footer or application_bottom file. 

Share this post


Link to post
Share on other sites

Thanks for that.

I have also found this on developer.mozilla.org. Could it be used in template_top?

"To configure IIS to send the X-Frame-Options header, add this to your site's Web.config file: "

<system.webServer>
  ...

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="sameorigin" />
    </customHeaders>
  </httpProtocol>

  ...
</system.webServer>

 


OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve

Share this post


Link to post
Share on other sites

Are you sure that's not intended to go in the .htaccess file? You might want to check that first. I've never heard of it referred to as "Web.config". Maybe it's a configuration file unique to IIS? If you're using IIS, it should be easy enough to check. Otherwise, ignore it.

Regarding your TLS 1.0, you should remind your host that 1.0 and 1.1 are quite insecure, and they should be at 1.2 soon. Also, the major browser makers (Mozilla, Microsoft, Google) have announced that they will drop browser support in the spring of 2020 for TLS 1.0 and 1.1, so hosts should be planning to upgrade before long.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozen or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites
3 minutes ago, MrPhil said:

Regarding your TLS 1.0, you should remind your host that 1.0 and 1.1 are quite insecure, and they should be at 1.2 soon.

What confuses me is that they have 1.2 but 1.0 and 1.1 are still listed in server info. When I run a test in ssllabs only 1.2 is detected but Security metrics detected all 3 versions


OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve

Share this post


Link to post
Share on other sites
13 minutes ago, MrPhil said:

Are you sure that's not intended to go in the .htaccess file?

You are correct, it was for IIS.

Is this for linux .htaccess?

-------------------------------------------------------------------

To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options sameorigin;

 


OsC 2.3.4.1 CE Frozen   PHP 7.2   MySQL 10.1.36-MariaDB-cll-lve

Share this post


Link to post
Share on other sites

Apparently the security scan thinks that there's a chance that 1.0 or 1.1 might end up being used as fallbacks by back-level browsers that don't support 1.2. That's my guess as to why they would flag it. Anyway, you might bring this to the attention of your host and discuss whether it's worth suppressing fallback to 1.0 or 1.1 (I think it can be done, but what's involved, I don't know). Any customer with an old browser that doesn't support TLS 1.2 would be out of luck. You might want to check browser histories and usage statistics, to see how many customers might potentially be affected.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozen or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

I don't know if nginx uses .htaccess. It's yet another server (technically, Apache is your server, not Linux, which is the operating system of the server machine -- yes, "server" is ambiguous). Apache runs on a variety of operating systems, including Windows, Mac, and Linux, and maybe others.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozen or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×