markw10 Posted June 27, 2010 Posted June 27, 2010 I am using CRE Loaded 6.41 which is OSCommerce based. I have 3 PCI Compliance level 3 threats that I'm trying to work through. They are: 1. Cookie Without HTTPOnly Attribute Can Be Accessed By Scripts Web Services :: Saint ID 500045 Port TCP:2096 A cookie without the HTTPOnly attribute could be susceptible to theft by cross-site scripting attacks. Cookies are a method of transmitting state information between web servers and clients. The HTTPOnly attribute specifies that a cookie may be used for HTTP requests only, and cannot be accessed by client-side scripts. There is a vulnerability in the way that some devices, especially web servers, store cookies on a user's system. If the HTTPOnly attribute is not set in the Set-Cookie header, the user-agent allows the cookie to be accessed by client-side script. If cross-site scripting vulnerabilities exist on the web server, then the cookie could be stolen by an attacker, possibly leading to session hijacking. Related CVE entries: CVE 2009-3566 McAfee IntruShield Network Security Manager For more information on the HTTPOnly attribute, see [http://www.owasp.org/index.php/HTTPOnly] OWASP. For more information about the session hijacking vulnerability in McAfee IntruShield Network Security Manager, see McAfee Security Bulletin SB10005. Solution: Modify web applications to set the HTTPOnly attribute for all cookies, or apply a patch or upgrade from your vendor. Annotations: Information from Target: Service: 2096:TCP Received: Set-Cookie: logintheme=cpanel; path=/; secure; port=2096 2. Autocomplete Enabled for Password Input Web Services :: Saint ID 500067 Port TCP:2083 Path: /login/ Poor authentication practices may leave the web application vulnerable to authentication attacks. Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This type of authentication is achieved using the HTML INPUT element with the type attribute set to password. There are several potential vulnerabilities associated with HTML form-based authentication: * Authentication Credentials Prefilled. The password field is prefilled with a default value, possibly allowing universal access to the application being authenticated. * Clear-text Form-based Authentication. The password is sent over the network unencrypted when a user submits the login form, thereby allowing an attacker who is capable of sniffing the network to view the password. * Clear-text HTTP Basic Authentication. The password is sent over the network unencrypted when a user authenticates to a protected web directory, thereby allowing an attacker who is capable of sniffing the network to view the password. * Autocomplete Enabled. The form allows the browser's autocomplete feature to automatically fill the password field with previously submitted values when a user begins entering a password. This feature could reveal one user's password to another user on the same computer. Additional information on the INPUT element is in the HTML 4.01 Specification, Section 17.4. For more information on HTTPS, see whatis.com. For more information on the autocomplete feature in HTML, see HTML Code Tutorial. Solution: To use HTML form-based authentication more securely in web applications, do the following: * Remove the value attribute from the INPUT tag corresponding to the password field. * Submit all forms to an SSL-enabled (https) service using the form's action attribute. * Place all protected web directories on an SSL-enabled (https) service. * Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field. Annotations: Information from Target: Service: 2083:TCP Received: <input id="pass" type="password" name="pass" size="16" tabindex="2" /></td> 3. Autocomplete Enabled for Password Input Web Services :: Saint ID 500067 Port TCP:2083 Path: / Poor authentication practices may leave the web application vulnerable to authentication attacks. Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This type of authentication is achieved using the HTML INPUT element with the type attribute set to password. There are several potential vulnerabilities associated with HTML form-based authentication: * Authentication Credentials Prefilled. The password field is prefilled with a default value, possibly allowing universal access to the application being authenticated. * Clear-text Form-based Authentication. The password is sent over the network unencrypted when a user submits the login form, thereby allowing an attacker who is capable of sniffing the network to view the password. * Clear-text HTTP Basic Authentication. The password is sent over the network unencrypted when a user authenticates to a protected web directory, thereby allowing an attacker who is capable of sniffing the network to view the password. * Autocomplete Enabled. The form allows the browser's autocomplete feature to automatically fill the password field with previously submitted values when a user begins entering a password. This feature could reveal one user's password to another user on the same computer. Additional information on the INPUT element is in the HTML 4.01 Specification, Section 17.4. For more information on HTTPS, see whatis.com. For more information on the autocomplete feature in HTML, see HTML Code Tutorial. Solution: To use HTML form-based authentication more securely in web applications, do the following: * Remove the value attribute from the INPUT tag corresponding to the password field. * Submit all forms to an SSL-enabled (https) service using the form's action attribute. * Place all protected web directories on an SSL-enabled (https) service. * Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field. Annotations: Information from Target: Service: 2083:TCP Received: <input id="pass" type="password" name="pass" size="16" tabindex="2" /></td> Do you have any idea how I can fix the above issues? I have no clue how to fix the cookie issue. I don't believe these are false positives though. As for the autocomplete, it seems I have to use the autocomplete="off" attribute but I'm not sure how to use this and what files to put this in. Any idea how I can fix these? These 3 issues are the main ones causing me to not be PCI Compliant.
Jan Zonjee Posted June 27, 2010 Posted June 27, 2010 Do you have any idea how I can fix the above issues? Assuming you have SSL enabled the scan tells you to Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field. in the login page... I have no clue how to fix the cookie issue. It sounds as if this is a server issue and not necessarily something that osC could acccomplish. XSS scripting was addressed in the latest version of osC2 on github though (see this commit).
theend Posted November 15, 2010 Posted November 15, 2010 I do not know if this has been answered elsewhere but I think the answer to the "HTTPOnly attribute" is to add the HTTPOnly parameter to all the setcookie() php calls as shown here http://php.net/manual/en/function.setcookie.php I modified the setcookie calls in my installation and it solved the problem.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.