Join the community today
Register Now

Sysadmin PCI scan vulnerabilities

Discussion in 'System Administration' started by Andy, Aug 13, 2020.

  1. Andy

    Andy Active Member

    540
    89
    28
    Aug 6, 2014
    Ratings:
    +132
    Local Time:
    12:52 AM
    If you have a merchant account to process credit card payments, the merchant servicer will require your website to be scanned and pass the test every 3 months. If you fail, it will disable your merchant account, raise fee, etc.
    This is a big and growing problem with many of us.

    I got my scan passed in May and a new scan failed. I'm not sure if there is any updates from centminmod from last few months causing any issue.
    If @eva2000 can jump in with some advice, that would be much appreciated.

    Here are some issues that did not pass
    HTTP Security Header Not Detected on port 80
    Code:
    Result
    
    GET / HTTP/1.1
    Host: 209.222.101.10
    Connection: Keep-Alive
    
    
    
    HTTP/1.1 200 OK
    Date: Wed, 12 Aug 2020 10:46:41 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 4074
    Last-Modified: Thu, 05 Apr 2018 17:10:07 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5ac6586f-fea"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes
    
    X-XSS-Protection HTTP Header missing on port 80.
    
    X-Content-Type-Options HTTP Header missing on port 80." style="box-sizing: border-box; color: rgb(99, 102, 106); font-family: Roboto, Tahoma, Arial, Helvetica, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);">X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 80.
    
    GET / HTTP/1.1
    Host: 209.222.101.10
    Connection: Keep-Alive
    
    
    
    HTTP/1.1 200 OK
    Date: Wed, 12 Aug 2020 10:46:41 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 4074
    Last-Modified: Thu, 05 Apr 2018 17:10:07 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5ac6586f-fea"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes
    
    X-XSS-Protection HTTP Header missing on port 80.
    
    X-Content-Type-Options HTTP Header missing on port 80.
    Solution
    Code:
    Note: To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.
    CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
    Customers are advised to set proper X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and Strict-Transport-Security HTTP response headers.
    Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:
    X-Frame-Options:
    Apache: Header always append X-Frame-Options SAMEORIGIN
    nginx: add_header X-Frame-Options SAMEORIGIN;
    HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN
    IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
    X-XSS-Protection:
    Apache: Header always set X-XSS-Protection "1; mode=block" 
    PHP: header("X-XSS-Protection: 1; mode=block");
    X-Content-Type-Options:
    Apache: Header always set X-Content-Type-Options: nosniff
    HTTP Strict-Transport-Security:
    Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Nginx: add_header Strict-Transport-Security max-age=31536000;
    Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution.
    " style="box-sizing: border-box; padding: 10px; line-height: 1.4286; vertical-align: middle; border: none;">Note: To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.
    CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
    
    Customers are advised to set proper X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and Strict-Transport-Security HTTP response headers.
    
    Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:
    
    X-Frame-Options:
    Apache: Header always append X-Frame-Options SAMEORIGIN
    nginx: add_header X-Frame-Options SAMEORIGIN;
    HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN
    IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
    
    X-XSS-Protection:
    Apache: Header always set X-XSS-Protection "1; mode=block"
    PHP: header("X-XSS-Protection: 1; mode=block");
    
    X-Content-Type-Options:
    Apache: Header always set X-Content-Type-Options: nosniff
    
    HTTP Strict-Transport-Security:
    Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Nginx: add_header Strict-Transport-Security max-age=31536000;
    
    Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution.
    The same issue on port 443

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,537
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    3:52 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    double post Sysadmin - PCI check vulnerabilities ???

    Centmin Mod has the headers disabled by default during nginx vhost creation and leave it up to you to enable - especially for HSTS as if you do not understand what it does you can DDOS attack your own site for up to 1yr duration ! See Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

    HSTS is only in HTTPS vhost and not non-HTTPS
    Code (Text):
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
    

    note some of the X- headers maybe served by your php/web app too i.e. Xenforo does for some.

    are you testing against your domains or the Centmin Mod main hostname i.e. IP address default Centmin Mod Nginx page ?
     
  3. Andy

    Andy Active Member

    540
    89
    28
    Aug 6, 2014
    Ratings:
    +132
    Local Time:
    12:52 AM
    I'm testing again the IP for the server that hosting my main domain and my other domains.
    It seems to pick up setting on other other domains as well.
    I dont know why it passed 3 months ago and failed now.

    I'm testing again using the domain name and will see if it makes a difference.
     
  4. Andy

    Andy Active Member

    540
    89
    28
    Aug 6, 2014
    Ratings:
    +132
    Local Time:
    12:52 AM
    I got some issue with this site as it keeps asking me to do the hcapcha puzzle even if i already logged in. Not sure the reason.
     
  5. Andy

    Andy Active Member

    540
    89
    28
    Aug 6, 2014
    Ratings:
    +132
    Local Time:
    12:52 AM
    PCI reports also said that it detected an old version of jquery but i couldn't grep to find where the file contains that string is
    jquery/jquery-3.3.1.min.js?_v=51091b27

    Any tip?
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,537
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    3:52 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah Cloudflare WAF rule being tripped, should be fixed now :)

    Probably best to ask on Xenforo forums as I believe it's dynamically generated by Xenforo
     
  7. Andy

    Andy Active Member

    540
    89
    28
    Aug 6, 2014
    Ratings:
    +132
    Local Time:
    12:52 AM
    It only happens after I reset my Chrome browser. What do I need to do?
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,537
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    3:52 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what do you mean reset browser ?

    should of resolved via my changes on my end, unless you're still experiencing the issue ? You behind a VPN, HTTP proxy or Tor client ?

    Is this now only happening for forum searches ?
     
    Last edited: Aug 14, 2020