Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details
Added your meta tag to my header.tpl and still end up with this from HackerGuardian:
Status Fail (This must be resolved for your device to be compliant).
Plugin "Non-persistent Cross-Site Scripting Vulnerability"
Category "CGI abuses : XSS "
Priority "Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /index.php
Unsafe arguments : keyword
Unsafe URLs : /index.php?keyword=%2bADw-%2ftitle%2bAD4APA-script%2bAD4-alert(12345)%2bADs
APA-%2fscript%2bAD4&route=product%2fsearch (XSS pattern: +ADw-/title+AD4APA-script+AD4-alert(12345)+ADsAPA-/script+AD4)
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the page header and execute it for destructive actions
Risk factor Medium / CVSS Base Score : 4.3
Solution
always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info
Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details
Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
But if you use strpos just like here, the attacker is able to use url spoofing like http://www.somesite.com/www.yoursitedomain.com/, instead should be used strripos to check from right to left and must match from 0 position, even inho, should be check at redirect function like this example:Qphoria wrote:It's late here and maybe I'm not seeing it.. but couldn't this be simplified to just:Xsecrets wrote:Code: Select all
if (isset($this->request->post['redirect'])) { if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){ $redirect_error = true; } elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) { $redirect_error = true; } else { $redirect_error = false; } if($redirect_error == true){ $this->redirect(HTTP_SERVER . 'index.php?route=common/home'); } else { $this->redirect($this->request->post['redirect']); } } else { $this->redirect(HTTP_SERVER . 'index.php?route=common/home'); }
Code: Select all
if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false) { $this->redirect($this->request->post['redirect']); } else { $this->redirect(HTTP_SERVER . 'index.php?route=common/home'); }
Code: Select all
protected function redirect($url, $status = 302,$outside = false) {
if ($outside) {
header('Status: ' . $status);
header('Location: ' . str_replace('&', '&', $url));
exit();
}
$go = @parse_url($url,PHP_URL_HOST);
$http = parse_url(HTTP_SERVER,PHP_URL_HOST);
$https = parse_url(HTTPS_SERVER,PHP_URL_HOST);
if (strripos($go,$http) === 0 OR strripos($go,$https) === 0) {
header('Status: ' . $status);
header('Location: ' . str_replace('&', '&', $url));
} else {
header('Status: 404');
header('Location: ' . $this->url->link('error/not_found'));
}
exit();
}
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
I've read through this thread, and I apologise for having to ask, but is OpenCart 1.5.1 and up PCI Compliant? I know there are a lot of issues that can affect PCI Compliance outside of OC itself, but does OC meet the required standard(s) ? Have the various changes listed / suggested been adopted into OC?
John
:-/
-Ryan
https://www.lotnllc.com is your one stop shop for all your computer needs!
The scope of PCI includes, but may not be limited to:
1. The computers used by the store owners to operate the store (any computer, anywhere, any time)
2. The servers on which the store and it's database and email servers reside (and possibly other servers).
3. The servers on which the payment gateways reside
4. The connections between the visitor and the store
5. The connections between the store and the payment gateway
6. The connections between the visitor and the payment gateway for "hosted page" type services..
The basic objective is to assure a secure environment from one end of each process to another.
The key word there is process - and that explains a lot of comments and questions about PCI.
Scanning vendors are going to have different requirements for all of the environments involved, if they are doing the job right. The things any one store operator, host or application developer needs to do to "be compliant" is going to vary according to their specific operating environment and practices. So, anyone who answers a flat "yes" to the question as to whether a particular cart is "PCI Compliant" is either a fool or a liar. The question is somewhat meaningless.
A more relevant question might be "Is Open Cart PCA-DSS certified?". But even that question is not as significant as some folks would think.
A certified cart can itself be rendered "non compliant" by flaws on the underlying platform.
I will say I see no reason that any version of Open Cart can't be used in a PCI compliant environment.
Specializing in secure Hosting 4 OpenCart based eCommerce websites.
https://www.pcisecuritystandards.org/ap ... ations.php
PCI SSC makes no endorsement or recommendation of applications or products, or of their respective developers or distributors. Furthermore, PCI SSC makes no warranties, guarantees or representations that any of the applications or products will meet your requirements for performance or functionality, that the applications or products will be free from errors or malicious code, or that the applications or products will be compatible with any other systems or applications. Any and all representations or warranties, including any and all representations and warranties made by the payment application vendor, are disclaimed by PCI SSC.
Most importantly they state:
Use of any one or more of the applications below (i) does not guarantee or ensure compliance with the PCI DSS or PA-DSS; and (ii) does not satisfy any Acquirers' obligations to perform their own evaluations and due diligence, to ensure the PCI DSS or PA-DSS compliance of their merchants or service providers.
Which pretty much boils down to what I said before - PCI compliance is an ongoing process. No one component can be presumed to be secured based on any snapshot evaluation taken at a fixed point in time.
David
Specializing in secure Hosting 4 OpenCart based eCommerce websites.
They only test server vulnerabilities and have no connection with opencart or knowledge of what I am using.
That said, the biggest PCI compatibility factor tends to be the saving of data. And as far as I know... storing of the CVV and processing cards onsite over non-SSL protected pages are the only no-nos. OpenCart doesn't do either. It comes down to 3rd party payment extensions for storage and you and your host for proper SSL and server protection.
Being PCI compliant is more about NOT doing something wrong. By default, everything is PCI compliant until it crosses that line. Neither OpenCart or any of its built-in extensions cross that line.
This is done using rule based accesses to various pages that check for a wide variety of vulnerabilities and exposures both generically, and specifically based on available CVE (Common Vulnerabilities and Exposures) reports. There are five of these reports related to Open Cart, so there is almost certainly a set of scanning modules which address CVE's related to Open Cart.
Unless specifically configured not to, these modules will be ran, positives will be reported and mitigation will be required to attain compliance certification. Negatives don't get reported, so it is easy to form the impression that scanners are not aware of various applications, if you have the latest release installed..
David
Specializing in secure Hosting 4 OpenCart based eCommerce websites.
Another FACT is that you need to take your time in the scanning and work with a PCI Compliancy site to beef things up, one issue at a time. This usually costs $$$ but the scans are free.
SCAN: https://www.trustwave.com/
A SCAN takes about 12-24 hours. You will need your Authorize.NET merchant ID as they LINK WITH IT!! Its FREE and a great SCAN. You then can pick away at the issues and AGAIN (1) some will be with your ISP, (2) some will be with mySQL and beefing that up, (3) some will be a more secure SSL certificate which your ISP will sell you for $50 bucks / year, (4) some will be an opencart tweak, (5) et cetera.
I have thought just to pay the extra $35 bucks per month that the bank takes as an insurance chit, and have not yet fully complied BECAUSE it is a pain in the butt.
WavGen
1) Install SSL on your server (preferably Dedicated IP and not shared SSL. If you are wondering why just run a search there are tons of posts about it. Show your customers you are a safe haven for entering such things as credit card numbers and email addresses. Have a privacy policy that talks about what you do with the data you take.
2) Don't store sensitive data on the server including CCV, CC numbers, SS numbers or what have you. 0 Liability means you get to leave it up to the powers that be that are already set up to do this ie Pay Pal, A.net, ogone, Sage pay and many more.
Other than that...relax and don't waste tons of money on silly PCI scanners (unless you think it will boost customer sales. Yes, having MACAFEE SECURE on your site can boost sales but only because of the NAME. Vulnerabilities, loop holes, weak spots, potential security holes can be found without them and frequently are. Out of the box Open Cart (as a developer and being familiar with different hacks and phishing techniques) has got a ton of potential in the realm of security which is great news because it means most of the work is already done for you.
If you are brave enough (or MUST ) store Social Security Numbers or CC numbers on your rack and have the capital to back a real PCI program/logic then by all means.....worry...and do your thing;) Do your thing.... If not, buy an SSL, have a beer....and make some money
Users browsing this forum: No registered users and 64 guests