Important Notice from AspDotNetStorefront
It is with dismay that we report that we have been forced, through the action of hackers, to shut off write-access to this forum. We are keen to leave the wealth of material available to you for research. We have opened a new forum from which our community of users can seek help, support and advice from us and from each other. To post a new question to our community, please visit: http://forums.vortx.com
Results 1 to 11 of 11

Thread: PCI non-compliant problem

  1. #1
    dplsr is offline Member
    Join Date
    Dec 2009
    Posts
    50

    Default PCI non-compliant problem

    I have hackerproof for pci scanning. It says the site is not compliant.


    Security Hole found on port/service "http (80/tcp)"
    Solution Modify the relevant CGIs so that they properly escape arguments
    Risk factor High
    See also : http://www.securiteam.com/securityre...DP0N1P76E.html
    "Comodo SQL injections"
    "CGI abuses "
    "Medium Priority
    Plugin
    Category
    Priority
    Description The following CGI script seem to be vulnerable to various SQL injection techniques : /c-57-under-cabinet-lighting.aspx
    Unsafe arguments : pagenum
    Unsafe URLs : /c-57-under-cabinet-lighting.aspx?pagenum=QUOTETEST%271%221%60 (Internal Server Error)
    An attacker may exploit this flaws to bypass authentication or to take the control of the remote database.
    Security Hole

  2. #2
    AspDotNetStorefront Staff - Scott's Avatar
    AspDotNetStorefront Staff - Scott is offline Administrator
    Join Date
    Mar 2007
    Location
    Ashland, OR
    Posts
    2,390

    Default

    That's a 'false positive', you can mark that off as not an issue.

    Any querystrings on an entity page are handed off to the XML package being used to render that skin. XML packages reference querystring parameters by their exact name, so anything we're not looking for is going to be ignored anyway (not written to the DB or anything). Even if they stick something invalid in a valid querystring, those are all run through a DB sproc, which prevents SQL injection in and of itself.

  3. #3
    dplsr is offline Member
    Join Date
    Dec 2009
    Posts
    50

    Default

    Thankyou Scott! I am marking them all false.

  4. #4
    dplsr is offline Member
    Join Date
    Dec 2009
    Posts
    50

    Default Still having PCI compliance problem

    I am still having problems with failed scans from sql injection. COMODO tells me my server is returning a 500 error instead of a 404 witch it is doing. Example url.

    http://lightingsayu.com/c-459-energy...EST%271%221%60

    my web.config setting:
    <customErrors mode="On">
    <!-- This will redirect 404 error on PageNotFound.aspx ,this will work only for file-types that IIS passes to ASP.NET -->
    <error statusCode="404" redirect="PageNotFound.aspx" />
    </customErrors>
    How do I correct this?

  5. #5
    AspDotNetStorefront Staff - Scott's Avatar
    AspDotNetStorefront Staff - Scott is offline Administrator
    Join Date
    Mar 2007
    Location
    Ashland, OR
    Posts
    2,390

    Default

    I'm not sure I understand what you mean - we're not going to return a 404 for an invalid querystring, no. The custom error page (either the default or the one you set up) will be shown, that's all. There is no SQL injection vulnerability there, as no sensitive information is shown.

  6. #6
    dplsr is offline Member
    Join Date
    Dec 2009
    Posts
    50

    Default

    Hi Scott,
    That's the problem the default error page PageNotFound.aspx is not showing up. a 500 application error is, and that makes the scans fail.

    Server Error in '/' Application.
    Runtime Error
    Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed.

    Details: To enable the details of this specific error message to be viewable on the local server machine, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "RemoteOnly". To enable the details to be viewable on remote machines, please set "mode" to "Off".

  7. #7
    ssgumby is offline Senior Member
    Join Date
    Feb 2009
    Posts
    683

    Default

    Im not sure why that would fail PCI, you are not showing any details of the error. But to make it look cleaner ...

    Add this under your 404 ...

    Code:
    <error statusCode="500" redirect="t-systemerror.aspx" />
    Then add a topic named systemerror and put some nice clean text to explain an error occured.

  8. #8
    AspDotNetStorefront Staff - Scott's Avatar
    AspDotNetStorefront Staff - Scott is offline Administrator
    Join Date
    Mar 2007
    Location
    Ashland, OR
    Posts
    2,390

    Default

    PageNotFound is only going to display for exactly what it sounds like - a 404 (page not found). Any other error that is caught by the system will display the custom error page, or the default one that you're showing. There's nothing wrong with that, as long as no sensitive information is displayed on the page. You can create your own custom error page to use and specify that in the web.config if you don't like the default, but that's not a vulnerability.

  9. #9
    dplsr is offline Member
    Join Date
    Dec 2009
    Posts
    50

    Default

    I see I think I understand. I need to modify the server to return something friendlier. I am going to get in there and see if I can get IIS it to go to pagenotfound.aspx on 500 errors.

    Thank you all again!

  10. #10
    ssgumby is offline Senior Member
    Join Date
    Feb 2009
    Posts
    683

    Default

    Quote Originally Posted by dplsr View Post
    I see I think I understand. I need to modify the server to return something friendlier. I am going to get in there and see if I can get IIS it to go to pagenotfound.aspx on 500 errors.

    Thank you all again!
    Or you could do as I suggested and simply add another line to web config and then no need to do anything with IIS

  11. #11
    dplsr is offline Member
    Join Date
    Dec 2009
    Posts
    50

    Default

    I added you code Works great! Thanks again!