Thread: PCI non-compliant problem

I have hackerproof for pci scanning. It says the site is not compliant.


Security Hole found on port/service "http (80/tcp)"
Solution Modify the relevant CGIs so that they properly escape arguments
Risk factor High
See also : http://www.securiteam.com/securityre...DP0N1P76E.html
"Comodo SQL injections"
"CGI abuses "
"Medium Priority
Plugin
Category
Priority
Description The following CGI script seem to be vulnerable to various SQL injection techniques : /c-57-under-cabinet-lighting.aspx
Unsafe arguments : pagenum
Unsafe URLs : /c-57-under-cabinet-lighting.aspx?pagenum=QUOTETEST%271%221%60 (Internal Server Error)
An attacker may exploit this flaws to bypass authentication or to take the control of the remote database.
Security Hole

That's a 'false positive', you can mark that off as not an issue.

Any querystrings on an entity page are handed off to the XML package being used to render that skin. XML packages reference querystring parameters by their exact name, so anything we're not looking for is going to be ignored anyway (not written to the DB or anything). Even if they stick something invalid in a valid querystring, those are all run through a DB sproc, which prevents SQL injection in and of itself.

Thankyou Scott! I am marking them all false.

I am still having problems with failed scans from sql injection. COMODO tells me my server is returning a 500 error instead of a 404 witch it is doing. Example url.

http://lightingsayu.com/c-459-energy...EST%271%221%60

my web.config setting:
<customErrors mode="On">
<!-- This will redirect 404 error on PageNotFound.aspx ,this will work only for file-types that IIS passes to ASP.NET -->
<error statusCode="404" redirect="PageNotFound.aspx" />
</customErrors>
How do I correct this?

I'm not sure I understand what you mean - we're not going to return a 404 for an invalid querystring, no. The custom error page (either the default or the one you set up) will be shown, that's all. There is no SQL injection vulnerability there, as no sensitive information is shown.

Hi Scott,
That's the problem the default error page PageNotFound.aspx is not showing up. a 500 application error is, and that makes the scans fail.

Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed.

Details: To enable the details of this specific error message to be viewable on the local server machine, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "RemoteOnly". To enable the details to be viewable on remote machines, please set "mode" to "Off".

Im not sure why that would fail PCI, you are not showing any details of the error. But to make it look cleaner ...

Add this under your 404 ...

Code:

<error statusCode="500" redirect="t-systemerror.aspx" />

Then add a topic named systemerror and put some nice clean text to explain an error occured.

PageNotFound is only going to display for exactly what it sounds like - a 404 (page not found). Any other error that is caught by the system will display the custom error page, or the default one that you're showing. There's nothing wrong with that, as long as no sensitive information is displayed on the page. You can create your own custom error page to use and specify that in the web.config if you don't like the default, but that's not a vulnerability.

I see I think I understand. I need to modify the server to return something friendlier. I am going to get in there and see if I can get IIS it to go to pagenotfound.aspx on 500 errors.

Thank you all again!

Originally Posted by dplsr

I see I think I understand. I need to modify the server to return something friendlier. I am going to get in there and see if I can get IIS it to go to pagenotfound.aspx on 500 errors.

Thank you all again!

Or you could do as I suggested and simply add another line to web config and then no need to do anything with IIS

I added you code Works great! Thanks again!