PCI DSS Compliance

Posted: July 23, 2012 at 10:19 AM Quote #74903
One of our Nop sites is suddenly failing PCI DSS compliance. Can anyone help with these issues?

Title: ZixForum database accessible over web (ZixForum.mdb) Impact: Attackers may access (read or destroy) application information, and in worst cases may take administrative control of the application. Data Sent: GET /filenotfound.htm?aspxerrorpath=/cgi-bin/ZixForum.mdb HTTP/1.0 Host: inkredible.co.uk User-Agent: Mozilla/4.0 Connection: Keep-alive Cookie: Nop.customer=214401fe-0a3b-4f5a-a0a2-d584d8487122 Data Received: HTTP/1.1 200 OK Resolution: Download a fix for [http://www.john.mypc.nu/Zix/] ZixForum when one becomes available, or configure the web server to deny access to ZixForum.mdb files. Risk Factor: High/ CVSS2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Title: NewsTraXer database accessible over web (nTrax.mdb) Impact: Attackers may access (read or destroy) application information, and in worst cases may take administrative control of the application. Data Sent: GET /filenotfound.htm?aspxerrorpath=/cgi-bin/Dbase/nTrax.mdb HTTP/1.0 Host: inkredible.co.uk User-Agent: Mozilla/4.0 Connection: Keep-alive Cookie: Nop.customer=214401fe-0a3b-4f5a-a0a2-d584d8487122 Data Received: HTTP/1.1 200 OK Resolution: No vendor solution to the NewsTraXer problem was available at the time of this writing. It would be advisable to configure the web server to password protect the Dbase directory if possible, or to remove the software. Risk Factor: High/ CVSS2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Title: News database accessible over web (news.mdb) Impact: Attackers may access (read or destroy) application information, and in worst cases may take administrative control of the application. Data Sent: GET /filenotfound.htm?aspxerrorpath=/cgi-bin/news.mdb HTTP/1.0 Host: inkredible.co.uk User-Agent: Mozilla/4.0 Connection: Keep-alive Cookie: Nop.customer=214401fe-0a3b-4f5a-a0a2-d584d8487122 Data Received: HTTP/1.1 200 OK Resolution: To secure the Compulsive Media News database, configure the web server to deny access to the news.mdb file. Risk Factor: High/ CVSS2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Darren Pegram
www.inkredible.co.uk

Twitter: @darrenpegram
Posted: July 23, 2012 at 11:19 AM Quote #74913
The three items are not being found and since CustomErrors is On (or RemoteOnly), the 404 request is redirected to file filenotfound.htm as defined in Web.config. So it sends an HTTP code 302 for the redirect and a code 200 for filenotfound.htm. Since an HTTP status code 200 is returned for the tested URLs, the testing script flags these vulnerabilities as existing on the server.

You can turn Off CustomErrors or
try the following solution (untested, but should return CustomError page and the 404 status code):
http://blog.stormid.com/2009/08/asp-net-customerrors-and-real-http-status-codes-404s-not-302s/

.
This post/answer is useful
2
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 23, 2012 at 11:21 AM Quote #74916
Hello again Darren,

i think that this has nothing to do with NopCommerce, the warning says that the DB files are accessible through the internet, you should probably set up permissions on folders and databases.

My 2 cents, not a sysadmin here.
This post/answer is useful
2
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 23, 2012 at 11:30 AM Quote #74922
I love this community! All morning spent scratching my head over 2 issues. 2 posts to Nop forum and minutes later I have 1 solution and 1 issue being looked at by a member.

Thank you guys!
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Darren Pegram
www.inkredible.co.uk

Twitter: @darrenpegram
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.
eCommerce CONFERENCE 2019
Learn more