Want to subscribe to topics you're interested in?
Become a Member

Sysadmin PCI scan vulnerabilities

Discussion in 'System Administration' started by Andy, Aug 13, 2020.

  1. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    11:49 PM
    If you have a merchant account to process credit card payments, the merchant servicer will require your website to be scanned and pass the test every 3 months. If you fail, it will disable your merchant account, raise fee, etc.
    This is a big and growing problem with many of us.


    I got my scan passed in May and a new scan failed. I'm not sure if there is any updates from centminmod from last few months causing any issue.
    If @eva2000 can jump in with some advice, that would be much appreciated.

    Here are some issues that did not pass
    HTTP Security Header Not Detected on port 80
    Code:
    Result
    
    GET / HTTP/1.1
    Host: 209.222.101.10
    Connection: Keep-Alive
    
    
    
    HTTP/1.1 200 OK
    Date: Wed, 12 Aug 2020 10:46:41 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 4074
    Last-Modified: Thu, 05 Apr 2018 17:10:07 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5ac6586f-fea"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes
    
    X-XSS-Protection HTTP Header missing on port 80.
    
    X-Content-Type-Options HTTP Header missing on port 80." style="box-sizing: border-box; color: rgb(99, 102, 106); font-family: Roboto, Tahoma, Arial, Helvetica, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);">X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 80.
    
    GET / HTTP/1.1
    Host: 209.222.101.10
    Connection: Keep-Alive
    
    
    
    HTTP/1.1 200 OK
    Date: Wed, 12 Aug 2020 10:46:41 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 4074
    Last-Modified: Thu, 05 Apr 2018 17:10:07 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5ac6586f-fea"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes
    
    X-XSS-Protection HTTP Header missing on port 80.
    
    X-Content-Type-Options HTTP Header missing on port 80.
    Solution
    Code:
    Note: To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.
    CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
    Customers are advised to set proper X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and Strict-Transport-Security HTTP response headers.
    Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:
    X-Frame-Options:
    Apache: Header always append X-Frame-Options SAMEORIGIN
    nginx: add_header X-Frame-Options SAMEORIGIN;
    HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN
    IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
    X-XSS-Protection:
    Apache: Header always set X-XSS-Protection "1; mode=block" 
    PHP: header("X-XSS-Protection: 1; mode=block");
    X-Content-Type-Options:
    Apache: Header always set X-Content-Type-Options: nosniff
    HTTP Strict-Transport-Security:
    Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Nginx: add_header Strict-Transport-Security max-age=31536000;
    Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution.
    " style="box-sizing: border-box; padding: 10px; line-height: 1.4286; vertical-align: middle; border: none;">Note: To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.
    CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
    
    Customers are advised to set proper X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and Strict-Transport-Security HTTP response headers.
    
    Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:
    
    X-Frame-Options:
    Apache: Header always append X-Frame-Options SAMEORIGIN
    nginx: add_header X-Frame-Options SAMEORIGIN;
    HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN
    IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
    
    X-XSS-Protection:
    Apache: Header always set X-XSS-Protection "1; mode=block"
    PHP: header("X-XSS-Protection: 1; mode=block");
    
    X-Content-Type-Options:
    Apache: Header always set X-Content-Type-Options: nosniff
    
    HTTP Strict-Transport-Security:
    Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Nginx: add_header Strict-Transport-Security max-age=31536000;
    
    Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution.
    The same issue on port 443
     
  2. eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    2:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    double post Sysadmin - PCI check vulnerabilities ???

    Centmin Mod has the headers disabled by default during nginx vhost creation and leave it up to you to enable - especially for HSTS as if you do not understand what it does you can DDOS attack your own site for up to 1yr duration ! See Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

    HSTS is only in HTTPS vhost and not non-HTTPS
    Code (Text):
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
    

    note some of the X- headers maybe served by your php/web app too i.e. Xenforo does for some.

    are you testing against your domains or the Centmin Mod main hostname i.e. IP address default Centmin Mod Nginx page ?
     
  3. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    11:49 PM
    I'm testing again the IP for the server that hosting my main domain and my other domains.
    It seems to pick up setting on other other domains as well.
    I dont know why it passed 3 months ago and failed now.

    I'm testing again using the domain name and will see if it makes a difference.
     
  4. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    11:49 PM
    I got some issue with this site as it keeps asking me to do the hcapcha puzzle even if i already logged in. Not sure the reason.
     
  5. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    11:49 PM
    PCI reports also said that it detected an old version of jquery but i couldn't grep to find where the file contains that string is
    jquery/jquery-3.3.1.min.js?_v=51091b27

    Any tip?
     
  6. eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    2:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah Cloudflare WAF rule being tripped, should be fixed now :)

    Probably best to ask on Xenforo forums as I believe it's dynamically generated by Xenforo
     
  7. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    11:49 PM
    It only happens after I reset my Chrome browser. What do I need to do?
     
  8. eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    2:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what do you mean reset browser ?

    should of resolved via my changes on my end, unless you're still experiencing the issue ? You behind a VPN, HTTP proxy or Tor client ?

    Is this now only happening for forum searches ?
     
    Last edited: Aug 14, 2020