Post by kdmp » Thu Aug 11, 2011 10:47 pm

Ya the OpenSSL reports take a bit of research. The changelog comes in handy to see if it has been backported. Plus you have to make sure your host doesn't accept connections with SSL 2. :crazy:

Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details


Active Member

Posts

Joined
Thu Jun 04, 2009 10:40 am
Location - Ontario, Canada

Post by kdmp » Fri Aug 12, 2011 12:23 pm

Hey Q,

Added your meta tag to my header.tpl and still end up with this from HackerGuardian:
Status Fail (This must be resolved for your device to be compliant).
Plugin "Non-persistent Cross-Site Scripting Vulnerability"

Category "CGI abuses : XSS "

Priority "Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /index.php
Unsafe arguments : keyword

Unsafe URLs : /index.php?keyword=%2bADw-%2ftitle%2bAD4APA-script%2bAD4-alert(12345)%2bADs
APA-%2fscript%2bAD4&route=product%2fsearch (XSS pattern: +ADw-/title+AD4APA-script+AD4-alert(12345)+ADsAPA-/script+AD4)

An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the page header and execute it for destructive actions


Risk factor Medium / CVSS Base Score : 4.3

Solution
always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info

Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details


Active Member

Posts

Joined
Thu Jun 04, 2009 10:40 am
Location - Ontario, Canada

Post by Qphoria » Fri Aug 12, 2011 7:25 pm

Sounds like your PCI company is bullshittin :)
Appeal it and tell them that exists in your source.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by kdmp » Tue Aug 16, 2011 3:42 am

LOL. I did, just waiting for their response. It's the first thing in the <head> tags so I would like to know how I can move that any higher... :o

Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details


Active Member

Posts

Joined
Thu Jun 04, 2009 10:40 am
Location - Ontario, Canada

Post by Qphoria » Tue Aug 16, 2011 3:49 am

Good news on my end. With the help of my webhost, we have satisfied the PCI company testing and they have marked my site as passed :) Both my webhost and PCI company were very responsive to the situation and had it resolved within 2 hours.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Xsecrets » Tue Aug 16, 2011 6:06 am

the only thing I can think about that one error above is that when you pass in a keyword in the search it is put in the title, so I suppose you could pass in something malicious and it will spit it back, though with it being in the title tag I'm not sure if you can make it do anything. Also I didn't even look to see if any sort of sanitation is done on it.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by openmind » Tue Nov 22, 2011 6:45 am

Qphoria wrote:
Xsecrets wrote:

Code: Select all

if (isset($this->request->post['redirect'])) {
                if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){
                    $redirect_error = true;
                } elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) {
                    $redirect_error = true;
                } else {
                    $redirect_error = false;
                }
                if($redirect_error == true){
                    $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
                } else {
                    $this->redirect($this->request->post['redirect']);
                }
            } else {
                $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
            }
 
It's late here and maybe I'm not seeing it.. but couldn't this be simplified to just:

Code: Select all

if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false) {
    $this->redirect($this->request->post['redirect']);
} else {
    $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
 
But if you use strpos just like here, the attacker is able to use url spoofing like http://www.somesite.com/www.yoursitedomain.com/, instead should be used strripos to check from right to left and must match from 0 position, even inho, should be check at redirect function like this example:

Code: Select all

    protected function redirect($url, $status = 302,$outside = false) {
        if ($outside) {
            header('Status: ' . $status);
            header('Location: ' . str_replace('&', '&', $url));
            exit();
        }
        $go = @parse_url($url,PHP_URL_HOST);
        $http = parse_url(HTTP_SERVER,PHP_URL_HOST);
        $https = parse_url(HTTPS_SERVER,PHP_URL_HOST);
        if (strripos($go,$http) === 0 OR strripos($go,$https) === 0) {
            header('Status: ' . $status);
            header('Location: ' . str_replace('&', '&', $url));
        } else {
            header('Status: 404');
            header('Location: ' . $this->url->link('error/not_found'));
        }
        exit();
    }
 

New member

Posts

Joined
Tue Jan 05, 2010 7:52 am

Post by Xsecrets » Tue Nov 22, 2011 3:43 pm

actually no that would not pass since HTTP_SERVER = 'http://yourdomain.com' and that string is not found in http://theirdomain.com/yourdomain.com the best they could do is redirect you to a non existent page on your domain. Even so this was never a big issue since no data would ever get passed.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by jossoway » Mon Mar 12, 2012 8:41 pm

Hi,

I've read through this thread, and I apologise for having to ask, but is OpenCart 1.5.1 and up PCI Compliant? I know there are a lot of issues that can affect PCI Compliance outside of OC itself, but does OC meet the required standard(s) ? Have the various changes listed / suggested been adopted into OC?

John
:-/

New member

Posts

Joined
Fri May 27, 2011 4:51 pm

Post by rph » Tue Mar 13, 2012 6:03 am

It's impossible to say because scanning companies aren't consistent. That being said I've never run into an issue specific to OpenCart. 9 out of 10 times it's a false positive related to server setup.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by Demon5 » Wed Mar 21, 2012 2:04 pm

1.5.1 didn't have any problems passing with either comodo hackerguardian or mcafee. I have not tried my 1.5.2.1 yet because it would kill my server before I have this category speed issue sorted out with the new version. (wish vqmod I was using worked for this).

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by scanreg » Wed May 09, 2012 9:51 pm

very interested in this too

Active Member

Posts

Joined
Thu May 06, 2010 12:15 am

Post by Nimitz1061 » Thu May 10, 2012 1:21 am

To clarify: The question "Is Open Cart PCI compliant" (or "AnyCartYouWantToName" for that matter) is far from the end of the matter. While it is am important part of PCI compliance overall, there are many areas in which one can fail to be compliant.

The scope of PCI includes, but may not be limited to:

1. The computers used by the store owners to operate the store (any computer, anywhere, any time)
2. The servers on which the store and it's database and email servers reside (and possibly other servers).
3. The servers on which the payment gateways reside
4. The connections between the visitor and the store
5. The connections between the store and the payment gateway
6. The connections between the visitor and the payment gateway for "hosted page" type services..

The basic objective is to assure a secure environment from one end of each process to another.

The key word there is process - and that explains a lot of comments and questions about PCI.

Scanning vendors are going to have different requirements for all of the environments involved, if they are doing the job right. The things any one store operator, host or application developer needs to do to "be compliant" is going to vary according to their specific operating environment and practices. So, anyone who answers a flat "yes" to the question as to whether a particular cart is "PCI Compliant" is either a fool or a liar. The question is somewhat meaningless.

A more relevant question might be "Is Open Cart PCA-DSS certified?". But even that question is not as significant as some folks would think.

A certified cart can itself be rendered "non compliant" by flaws on the underlying platform.

I will say I see no reason that any version of Open Cart can't be used in a PCI compliant environment.

Specializing in secure Hosting 4 OpenCart based eCommerce websites.


New member

Posts

Joined
Sat Mar 24, 2012 7:49 pm
Location - United States

Post by scanreg » Thu May 10, 2012 2:12 am

Here is zencart's listing, on Page 61, almost last one on page, Zen Ventures, LLC:

https://www.pcisecuritystandards.org/ap ... ations.php

Active Member

Posts

Joined
Thu May 06, 2010 12:15 am

Post by Nimitz1061 » Fri May 11, 2012 7:03 pm

What Scanreg is referring to is a cart's listing in the PCA-DSS certification list. Significant things to note when looking at that list is that the PCI standards org requires you to accept a disclaimer that includes the following statement:
PCI SSC makes no endorsement or recommendation of applications or products, or of their respective developers or distributors. Furthermore, PCI SSC makes no warranties, guarantees or representations that any of the applications or products will meet your requirements for performance or functionality, that the applications or products will be free from errors or malicious code, or that the applications or products will be compatible with any other systems or applications. Any and all representations or warranties, including any and all representations and warranties made by the payment application vendor, are disclaimed by PCI SSC.

Most importantly they state:
Use of any one or more of the applications below (i) does not guarantee or ensure compliance with the PCI DSS or PA-DSS; and (ii) does not satisfy any Acquirers' obligations to perform their own evaluations and due diligence, to ensure the PCI DSS or PA-DSS compliance of their merchants or service providers.


Which pretty much boils down to what I said before - PCI compliance is an ongoing process. No one component can be presumed to be secured based on any snapshot evaluation taken at a fixed point in time.

David

Specializing in secure Hosting 4 OpenCart based eCommerce websites.


New member

Posts

Joined
Sat Mar 24, 2012 7:49 pm
Location - United States

Post by Qphoria » Sat May 12, 2012 2:58 am

My merchant account requires that I do a PCI scan quarterly using controlscan.com
They only test server vulnerabilities and have no connection with opencart or knowledge of what I am using.
That said, the biggest PCI compatibility factor tends to be the saving of data. And as far as I know... storing of the CVV and processing cards onsite over non-SSL protected pages are the only no-nos. OpenCart doesn't do either. It comes down to 3rd party payment extensions for storage and you and your host for proper SSL and server protection.

Being PCI compliant is more about NOT doing something wrong. By default, everything is PCI compliant until it crosses that line. Neither OpenCart or any of its built-in extensions cross that line.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Nimitz1061 » Wed May 23, 2012 12:14 am

Provided Control Scan meets the requirements to remain an ASV (Approved Scanning Vendor), they are covering two scanning requirements that directly impact (and check) the Open Cart installation. The first is that the ASV will scan every web server in the provided IP range(s). The second is that they will scan every Virtual Host on each web server.

This is done using rule based accesses to various pages that check for a wide variety of vulnerabilities and exposures both generically, and specifically based on available CVE (Common Vulnerabilities and Exposures) reports. There are five of these reports related to Open Cart, so there is almost certainly a set of scanning modules which address CVE's related to Open Cart.

Unless specifically configured not to, these modules will be ran, positives will be reported and mitigation will be required to attain compliance certification. Negatives don't get reported, so it is easy to form the impression that scanners are not aware of various applications, if you have the latest release installed..

David

Specializing in secure Hosting 4 OpenCart based eCommerce websites.


New member

Posts

Joined
Sat Mar 24, 2012 7:49 pm
Location - United States

Post by wavgen » Wed Jun 13, 2012 11:47 pm

THE FACT of the matter is that ANY cart solution will most probably fail for a number of reason listed above. Most importantly its your ISP where you host your mySQL databases and your web site php and conf scripts. There are two or three tweaks that I see need to happen from Daniel and his group at OPENCART to make this viable and 100% compliant cart solution. Joomla and WordPress are the same.

Another FACT is that you need to take your time in the scanning and work with a PCI Compliancy site to beef things up, one issue at a time. This usually costs $$$ but the scans are free.

SCAN: https://www.trustwave.com/

A SCAN takes about 12-24 hours. You will need your Authorize.NET merchant ID as they LINK WITH IT!! Its FREE and a great SCAN. You then can pick away at the issues and AGAIN (1) some will be with your ISP, (2) some will be with mySQL and beefing that up, (3) some will be a more secure SSL certificate which your ISP will sell you for $50 bucks / year, (4) some will be an opencart tweak, (5) et cetera.

I have thought just to pay the extra $35 bucks per month that the bank takes as an insurance chit, and have not yet fully complied BECAUSE it is a pain in the butt. :-\

WavGen

Newbie

Posts

Joined
Wed Jun 13, 2012 11:40 pm

Post by scanreg » Fri Jun 15, 2012 1:45 am

There are two or three tweaks that I see need to happen from Daniel and his group at OPENCART to make this viable and 100% compliant cart solution. Joomla and WordPress are the same.
What are they?

Thanks

Active Member

Posts

Joined
Thu May 06, 2010 12:15 am

Post by Avvici » Fri Jun 15, 2012 10:32 am

Ok I mean really. ::) All this PCI this, PCI that. Most customers don't even know what it is let alone ask...
1) Install SSL on your server (preferably Dedicated IP and not shared SSL. If you are wondering why just run a search there are tons of posts about it. Show your customers you are a safe haven for entering such things as credit card numbers and email addresses. Have a privacy policy that talks about what you do with the data you take.
2) Don't store sensitive data on the server including CCV, CC numbers, SS numbers or what have you. 0 Liability means you get to leave it up to the powers that be that are already set up to do this ie Pay Pal, A.net, ogone, Sage pay and many more.

Other than that...relax and don't waste tons of money on silly PCI scanners (unless you think it will boost customer sales. Yes, having MACAFEE SECURE on your site can boost sales but only because of the NAME. Vulnerabilities, loop holes, weak spots, potential security holes can be found without them and frequently are. Out of the box Open Cart (as a developer and being familiar with different hacks and phishing techniques) has got a ton of potential in the realm of security which is great news because it means most of the work is already done for you.

If you are brave enough (or MUST ) store Social Security Numbers or CC numbers on your rack and have the capital to back a real PCI program/logic then by all means.....worry...and do your thing;) Do your thing.... If not, buy an SSL, have a beer....and make some money

User avatar
Expert Member

Posts

Joined
Tue Apr 05, 2011 12:09 pm
Location - Asheville, NC
Who is online

Users browsing this forum: No registered users and 14 guests