Page 3 of 5
Re: PCI Compliance?
Posted: Sun Apr 24, 2011 11:45 pm
by Demon5
Warning: Wrong parameter count for strpos() in /home/xxxxx/public_html/xxxxxx/catalog/controller/common/header.php on line 37Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxxx/public_html/xxxxxx/index.php:96) in /home/xxxxxx/public_html/xxxxxx/vqmod/vqcache/vqcache_system_engine_controller.php on line 27
doesn't like vqmod but I'm gunna find out if it will pass pci. An error won't make it fail pci lol. Least I hope ..
Edit: not vqmod apparently in another section I'm searching for. (I wish I was better with coding it's probably blatantly obvious)
Re: PCI Compliance?
Posted: Mon Apr 25, 2011 12:23 am
by Xsecrets
Demon5 wrote:Warning: Wrong parameter count for strpos() in /home/xxxxx/public_html/xxxxxx/catalog/controller/common/header.php on line 37Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxxx/public_html/xxxxxx/index.php:96) in /home/xxxxxx/public_html/xxxxxx/vqmod/vqcache/vqcache_system_engine_controller.php on line 27
doesn't like vqmod but I'm gunna find out if it will pass pci. An error won't make it fail pci lol. Least I hope ..
Edit: not vqmod apparently in another section I'm searching for. (I wish I was better with coding it's probably blatantly obvious)
sorry that's actually my fault I changed the code last minute, and made a mistake. Try this code.
Code: Select all
if (isset($this->request->post['redirect'])) {
if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){
$redirect_error = true;
} elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) {
$redirect_error = true;
} else {
$redirect_error = false;
}
if($redirect_error == true){
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
} else {
$this->redirect($this->request->post['redirect']);
}
} else {
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
Re: PCI Compliance?
Posted: Mon Apr 25, 2011 12:50 am
by Demon5
That fixed the warnings up. Just waiting for the pci scan to complete. Hopefully it works.
Ugh I had made the changes to my test site one instead of the main one where I was scanning. The demo's seem to keep me at my own site now instead of redirect to mcafeesecure. Rerunning scan now (again). I think it will work.
Man when they have you rescan to check patch they should just rescan that part instead of doing full 2 hour hack attempt..
Re: PCI Compliance?
Posted: Mon Apr 25, 2011 1:21 pm
by Demon5
Good news. That there tiny code change makes opencart pci compliant! Mcafee passes it now.
I appreciate the help and I'm sure the other opencart users will be happy to see that it can be compliant without loss of function.
Re: PCI Compliance?
Posted: Mon Apr 25, 2011 1:30 pm
by Qphoria
Xsecrets wrote:
Code: Select all
if (isset($this->request->post['redirect'])) {
if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){
$redirect_error = true;
} elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) {
$redirect_error = true;
} else {
$redirect_error = false;
}
if($redirect_error == true){
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
} else {
$this->redirect($this->request->post['redirect']);
}
} else {
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
It's late here and maybe I'm not seeing it.. but couldn't this be simplified to just:
Code: Select all
if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false) {
$this->redirect($this->request->post['redirect']);
} else {
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
Re: PCI Compliance?
Posted: Mon Apr 25, 2011 7:55 pm
by Xsecrets
Qphoria wrote:Xsecrets wrote:
Code: Select all
if (isset($this->request->post['redirect'])) {
if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){
$redirect_error = true;
} elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) {
$redirect_error = true;
} else {
$redirect_error = false;
}
if($redirect_error == true){
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
} else {
$this->redirect($this->request->post['redirect']);
}
} else {
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
It's late here and maybe I'm not seeing it.. but couldn't this be simplified to just:
Code: Select all
if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false) {
$this->redirect($this->request->post['redirect']);
} else {
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
well I just did it quickly and I didn't really want to think too hard. I believe what you have will work, but you would need to add in the HTTPS_SERVER so it would be
Code: Select all
if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false && strpos($this->request->post['redirect'], HTTPS_SERVER) !== false) {
Re: PCI Compliance?
Posted: Mon Apr 25, 2011 10:21 pm
by Qphoria
Good call
Re: PCI Compliance?
Posted: Tue Apr 26, 2011 8:58 am
by Qphoria
Actually I think it should be a grouped "||" for the http or https.. cuz it won't necessarily be both but can be one or the other
Code: Select all
if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], HTTP_SERVER) !== false || strpos($this->request->post['redirect'], HTTPS_SERVER) !== false)) {
Re: PCI Compliance?
Posted: Tue Apr 26, 2011 11:27 am
by Xsecrets
Qphoria wrote:Actually I think it should be a grouped "||" for the http or https.. cuz it won't necessarily be both but can be one or the other
Code: Select all
if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], HTTP_SERVER) !== false || strpos($this->request->post['redirect'], HTTPS_SERVER) !== false)) {
yeah you may be right that's why I went the other way with it didn't feel like figuring out the whole not or and crap.
Re: PCI Compliance?
Posted: Fri May 06, 2011 3:34 am
by Demon5
make sure you include these changes in 1.5.0. Being pci compliant will help make opencart a dominant cart in market. Which would bring more devs to make modules since more people would use. which you could make money off
Re: PCI Compliance?
Posted: Fri May 06, 2011 4:56 am
by Qphoria
Demon5 wrote:make sure you include these changes in 1.5.0. Being pci compliant will help make opencart a dominant cart in market. Which would bring more devs to make modules since more people would use. which you could make money off
Already added to 1.5.0 and 1.4.9.5, but it hasn't affected anything in the past anyway. You are the first to comment so I'm not too worried that people weren't using it before this.
Re: PCI Compliance?
Posted: Sat May 07, 2011 10:37 pm
by Demon5
*shrugs* My domain draws hacker attention and authorize.net req pci and mcafee was like not unless this thingie fixed lol. Pretty simple fix though aparently
Re: PCI Compliance?
Posted: Mon May 09, 2011 10:35 pm
by Dabnis
Here is a store that I have gained PCI compliance as verified by Trustwave. Logo in footer, click on it for Trustwave confirmation.
Hope this helps prove the point that OC is secure enough for PCI compliance. I've not read all of the posts in this thread, but I can confirm that getting this status for the site invovled more server admin changes than anything within the OC framework.
The site::
http://pdr-tools.us
Re: PCI Compliance?
Posted: Fri May 13, 2011 10:47 am
by jannypan
What do you mean by they are modular and not at the opencart level? Other shopping carts are having to rewrite the payment modules even when they do NOT store credit cards and DO support SSL's in order to pass PA-DSS requirements. According to PA-DSS, the shopping cart vendor is responsible for making sure the payment modules are compliant.
Re: PCI Compliance?
Posted: Fri May 13, 2011 9:05 pm
by mwd
Am I correct in assuming this has been resolved now and should be marked [solved] to avoid any confusion?
Re: PCI Compliance?
Posted: Mon May 16, 2011 8:16 am
by Demon5
I can't speak for other payment modules but with authorize.net aim module and these small changes from this thread the cart IS PCI compliant.
Re: PCI Compliance?
Posted: Wed Aug 10, 2011 10:52 am
by kdmp
I just recently had a hackerguardian scan done and it indicated this for 1.4.9.1:
Status Fail (This must be resolved for your device to be compliant).
Plugin "Non-persistent Cross-Site Scripting Vulnerability"
Category "CGI abuses : XSS "
Priority "Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /index.php
Unsafe arguments : keyword
Unsafe URLs : /index.php?keyword=%2bADw-%2ftitle%2bAD4APA-script%2bAD4-alert(12345)%2bADs
APA-%2fscript%2bAD4&route=product%2fsearch (XSS pattern: +ADw-/title+AD4APA-script+AD4-alert(12345)+ADsAPA-/script+AD4)
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the page header and execute it for destructive actions
Risk factor Medium / CVSS Base Score : 4.3
Solution
always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info
I am not sure if this is something with the host or with Opencart.
Re: PCI Compliance?
Posted: Wed Aug 10, 2011 11:26 am
by Qphoria
kdmp wrote:I just recently had a hackerguardian scan done and it indicated this for 1.4.9.1:
Status Fail (This must be resolved for your device to be compliant).
Plugin "Non-persistent Cross-Site Scripting Vulnerability"
Category "CGI abuses : XSS "
Priority "Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /index.php
Unsafe arguments : keyword
Unsafe URLs : /index.php?keyword=%2bADw-%2ftitle%2bAD4APA-script%2bAD4-alert(12345)%2bADs
APA-%2fscript%2bAD4&route=product%2fsearch (XSS pattern: +ADw-/title+AD4APA-script+AD4-alert(12345)+ADsAPA-/script+AD4)
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the page header and execute it for destructive actions
Risk factor Medium / CVSS Base Score : 4.3
Solution
always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info
I am not sure if this is something with the host or with Opencart.
I'm actually having a PCI scan done tomorrow on my site so I will share the results of that and compare notes. I am using v1.4.9.6. I have added the following line to my header.tpl file right under the <title> tags:
Code: Select all
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
which appears to be what your scan is complaining about. Tho I've tested the XSS they used and it doesn't do anything bad. The server validates that.
Re: PCI Compliance?
Posted: Thu Aug 11, 2011 9:03 pm
by kdmp
Thanks Q,
Will watch for your results.
Kevin
Re: PCI Compliance?
Posted: Thu Aug 11, 2011 10:33 pm
by Qphoria
I got my results actually
No issues with OpenCart
There were 4 issues with my hosting but apparently it is a PCI test issue that a lot of webhosts claim are faulty because they only check the version number and not the actual version test.
http://billing.handsonwebhosting.com/kn ... cle&id=258
Apparently the version check the test does finds "OpenSSH" on my server is 4.3 but its patched instead of updated so the version may show 4.3 but has the 5.9 patch. So I've contested the notices.
But nothing warned about opencart or search box or anything.
ControlScan.com is the company that did my scan
They also reported other warnings about ports.. but nothing stopping PCI compliance other than the 4 errors about the openssh that are apparently patched.