Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 04-11-2012 09:41:11

ElbiwNi
Member
From: Oxford, England
Registered: 07-30-2010
Posts: 16

PCI Compliance issues with EUR7

My PCI scan has a fail on the shop with:

Auto-complete is not disabled on password fields. The remote web server contains at least HTML form field containing an input of type ‘password’ where ‘autocomplete’ is not set to ‘off’. While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or their machine is compromised at some point. www (443/tcp) id:56306.

Page :
/shop/index.php?app=cms&ns=login&sid=qv76piw6330396917y4142axp102ilji

Destination Page :
https://www.xxxxxxxxx.com/shop/index.php
Input name : core—login—password
Page : /shop/index.php?app=cms&ns=login

Destination Page :
https://www.xxxxxxxxx.com/shop/index.php
Input name : core—login—password
Page : /shop/index.php?app=ecom&ns=login

Destination Page :
https://www.xxxxxxxxx.com/shop/index.php
Input name : core—login—password
Page :
/shop/index.php?app=ecom&ns=login&redir_ns=viewcart

Destination Page :
https://www.xxxxxxxxx.com/shop/index.php
Input name : core—login—password
Page : /shop/index.php?app=cms&ns=createaccount

Destination Page :
https://www.xxxxxxxxx.com/shop/index.php
Input name : core—createaccount—passnew1
Input name : core—createaccount—passnew2
Page : /shop/index.php?app=ecom&ns=createaccount

Destination Page :
https://www.xxxxxxxxx.com/shop/index.php
Input name : core—createaccount—passnew1
Input name : core—createaccount—passnew2

I would like to use a <input type="text" autocomplete="off"> but I am unsure of the implications of doing this on the shop and also the exact location of the html code source


Cheers,

Aaron

Offline

 

#2 04-11-2012 09:54:25

ElbiwNi
Member
From: Oxford, England
Registered: 07-30-2010
Posts: 16

Re: PCI Compliance issues with EUR7

And also with regard to PCI compliance any suggestions on this?

SQL injection occurs when user input is not correctly validated, and allows an SQL statement to be manipulated. This results in potential access to sensitive data, and alteration or removal of data. http (80/tcp) id:79051.

The following pages on http://www.xxxxxxxxxx.com:80/ are vulnerable:

GET /shop/index.php?app=cms&ns=createaccount [Parameters: app, ns]
GET /shop/index.php?app=cms&ns=display&ref=splash&sid=r595ga400ob89fs2w7b04igy4sz2se82&portrelay=1 [Parameters: sid]
GET /shop/index.php?app=cms&ns=display&ref=storepolicies [Parameters: app, ns, ref]
GET /shop/index.php?app=ecom&ns=checkoutfn&sid=r595ga400ob89fs2w7b04igy4sz2se82 [Parameters: app, ns, sid]
GET /shop/index.php?app=ecom&ns=login&redir_ns=viewcart [Parameters: ns, redir_ns]
GET /shop/index.php?app=ecom&ns=login&redir_ns=viewcart&sid=r595ga400ob89fs2w7b04igy4sz2se82 [Parameters: app, ns, redir_ns, sid]
GET/shop/index.php?app=ecom&ns=viewcart&sid=r595ga400ob89fs2w7b04igy4sz2se82&portrelay=1 [Parameters: portrelay, sid]


Cheers,

Aaron

Offline

 

#3 04-11-2012 10:49:11

bbac
Member
From: Bristol, UK
Registered: 08-25-2008
Posts: 141

Re: PCI Compliance issues with EUR7

At what vulnerability level are these issues on your scan? Any level 2 or 1 issues, just ignore them. Life's too short. Personally I strongly dislike sites that set autocomplete off. The message is "While this does not represent a risk to this web server" so it's not your problem. There is a theoretical risk that someone is standing behind me with a gun forcing me to enter my password. You can't prevent that with PCI-DSS either.

Offline

 

#4 04-11-2012 10:53:47

ElbiwNi
Member
From: Oxford, England
Registered: 07-30-2010
Posts: 16

Re: PCI Compliance issues with EUR7

Unfortunately bbac the pen testers that we use will fail me on PCI if I can't either show it as a false positive or fix it, the b*****s which means I get fined every month for using Credit Cards! sad
Vulnerability: Web Server Allows 4.7 Password Auto-Completion (PCI-DSS variant)
Severity: Medium
Compliance: FAIL

Last edited by ElbiwNi (04-11-2012 10:56:33)


Cheers,

Aaron

Offline

 

#5 04-11-2012 15:50:15

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: PCI Compliance issues with EUR7

ElbiwNi wrote:

SQL injection occurs when user input is not correctly validated, and allows an SQL statement to be manipulated. This results in potential access to sensitive data, and alteration or removal of data. http (80/tcp) id:79051.

The following pages on http://www.xxxxxxxxxx.com:80/ are vulnerable:

IMO that's a completely made up, and false, assumption. Unless they have examined every line of code in every application that they scan they can not possibly know whether or not parameters being passed in a URL are vulnerable. In the case of CCP every parameter passed whether via GET or POST is thoroughly and carefully checked and validated.

Challenge their findings.  The PCI scans I've been involved in I've found that they will back off on "stupid" things like this quickly simply because they can not prove that it is fact a vulnerability.

Offline

 

#6 04-11-2012 16:06:52

Dave
Member
Registered: 07-05-2003
Posts: 11233

Re: PCI Compliance issues with EUR7

ElbiwNi wrote:

I would like to use a <input type="text" autocomplete="off"> but I am unsure of the implications of doing this on the shop and also the exact location of the html code source

Doing so will cause any page with a input type of password to no longer validate as XHTML.  autocomplete="off" is not a valid tag and will result in a message when checking the page that says:

there is no attribute "autocomplete"

You would not need to change the input type of text just the input type of password. Regardless, you would be taking a step backwards. Challenge the PCI scanning company to show you were autocomplete="off" is part of the XHTML specification.

CCP takes GREAT pains to generate valid XHTML pages. There is no way somebody can force you to make them invalid because of some perceived issue (and it is simply that, a perceived issue). Keep in mind that PCI scanning companies can only make themselves of value if they can dream up enough "things to find" whether or not the things that they find are valid concerns.

Once in a great while they will actually find something but it isn't often.

If you really want to break your XHTML compliant pages modify the Formfield: Password include which you'll find under System > Displays > Display Includes and add the non-compliant autocomplete="off" to the input tag you'll find there.

Offline

 

#7 04-11-2012 16:49:42

cyberws
Member
From: Atlanta, GA
Registered: 02-05-2004
Posts: 756

Re: PCI Compliance issues with EUR7

I agree with Dave.  If your PCI scanning company is so dense they can't recognize the facts in Dave's post then it is time for a new PCI scanning company.


Jeremy O

Production CCP .:. Version 6 w/QuickBuy and many in house hacks
Skills: PHP & Perl programming, Solaris & Linux server administration, Oracle OCP training and MySQL experience

Offline

 

#8 04-12-2012 06:44:43

bbac
Member
From: Bristol, UK
Registered: 08-25-2008
Posts: 141

Re: PCI Compliance issues with EUR7

ElbiwNi wrote:

Unfortunately bbac the pen testers that we use will fail me on PCI if I can't either show it as a false positive or fix it, the b*****s which means I get fined every month for using Credit Cards! sad
Vulnerability: Web Server Allows 4.7 Password Auto-Completion (PCI-DSS variant)
Severity: Medium
Compliance: FAIL

Sadly 4.7 is a fail. I wonder why I don't get this on my PCI-DSS scan of my shop....
PCI-DSS is total bull, but it makes money for the consultants and the banks whilst protecting no-one at all. Will look at autocomplete=off in CCP when I have a few mins spare.

Offline

 

Board footer