Hi guys and gals. I have CS cart installed and a SSL certificate. I did a PCI compliance scan – virtual hack and came up with the following vulnerbilities. Are these false positives, or can this truly happen because I need to make sure the cart I am using is 10000000% secure.
Test - Mysql Unpassworded Account Check
Results - It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database.
Second Test Result
Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel
Explanation: The remote host appears to have set a potentially sensitive persistent cookie across the internet in plain text.
An HTTP cookie is a piece of text-based data created by a website and sent to a web browser client and then sent back to the website without modification by the browser. The various uses for HTTP cookies include authentication, differentiation of users, maintaining data related to a user when they are viewing the website, maintaining a list of contents stored as when used by a shopping cart application, etc. In short, this is a way to identify a user by the computer they used to access the site as well as providing a way for the browser to keep the session in memory for subsequent visits as well as personalization based on the preference of a particular user. Using cookies allows browser and server to “maintain state”.
The cookie that was set by the server was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id’s, or passwords.
The potentially sensitive cookie that was also sent over a non-encrypted channel. Using secure protocols to transmit cookies normally ensures a safe method of transmission. By sending cookies over non-secure channels, the cookie the potential to be “sniffed” over network traffic. This has become a much larger issue when you take into account how many people today use wireless hot spots and public terminals.
The cookie was also persistent. Persistent cookies are saved to the clients machine in a text file format. By doing this, the cookie can be used at a later time, even after the browser has been closed. Once the expires tag (a directive sent along with the cookie) has been reached, the cookie is then deleted from the client. Attackers can view this saved cookies even after the users browser has been closed. With the amount of public terminals that are being used today, and the information that is saved in these cookies, an attacker can gain a lot of information about the users of these systems.
I have SSL in the correct path, what can I do to fix this? I have not modified any CS cart files at all, this is all default setup.
---------------------------
Unencrypted Sensitive Form Detected
The remote host appears to allow sensitive form submission over unencrypted (HTTP) connections. This means that a user’s personal information is sent over the internet in clear text. An attacker may be able to uncover sensitive information such as login names and passwords by sniffing network traffic.
Ok how do I fix this if I set the directories already to SSL, this has to be a CS cart thing not passing a form over to encryption.
Any help on these things from anyone would be greatly appreciated as I do not want to put my customers at risk and I need to pass PCI compliance to avoid those hefty fines.
Which service (company) did you use for the PCI scan? Martfox do scan his servers (and CS-Cart accounts) through Comodo and www.ncircle.com and got 2 different results. Comodo with 1 warnig ncircle absolute positive. All depends on their scan algorithm. No one will be the same.
Anyway there where not any CS-Cart weaknesses. The Comodo reported some warnings “server sides” but as said by the other provider the scan was positive.
Comodo reported about an open relay while it wasn’t. PCI scanning is a huge pain and isn’t understood by a lot of providers or customers. The majority of it is a grey area and different scans will give different results.
I used McAfee Secure, and the vulnerbility summary is;
Website Directory Listing— 2 .
Mysql Unpassworded Account Check ---- 1
Unencrypted Sensitive Form Detected---- 1
SMTP Server Detected on Non-standard Port ---- 1
Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel ------ 1
MySQL Server Listener & Version Detection === 1
Dns Server Cache Snooping Information Disclosure====1
The numbers are the amount of vulnerbilities that McAfee virtual hack scanner found. My host is hostgator and I do have a SSL certificate installed and working. I have not configured any code or anything. I just uploaded CS Cart and selected my theme, worked on the theme, uploaded items. I followed CS carts directions on file permissions, etc. Above is what McAfee found.
The most critical one being the following two which I have no clue what it is saying to me. lol
Device www.newtonapparel.com (174.120.247.18)
Vulnerability Website Directory Listing
Port 443/tcp
Device www.newtonapparel.com (174.120.247.18)
Vulnerability Website Directory Listing
Port 80/tcp
Scan Date 30-JUN-2010 00:19
Ok, these are all weaknesses of your server, not CS-Cart. You have to contact your hosting provider with this issue.
Well I am finding problems with CS cart as well, for example. If I use the contact us form, how can I make it so that loads via HTTPS and not regular protocol. I cant seem to figure out how to change custom forms, wishlists etc. I want every aspect of my customers experience encrypted, even contacting me and other forms. Not just checkout.
Also says I have a cookie that is not encrypted.
Ok my host has fixed 2 of the 3 major problems, the two that exist well one major one not as much.
The major one I do not know how to fix but is a problem with CS cart is;
Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel
The other one is the contact us and other forms not secure, they are going across regular protocols.
So any insight on how I can fix these two issues would be greatly appreciated as they are the two last things preventing me from being PCI compliant.
Server side issues are fixed.
[quote name=‘russ1106’]Ok my host has fixed 2 of the 3 major problems, the two that exist well one major one not as much.
The major one I do not know how to fix but is a problem with CS cart is;
Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel
The other one is the contact us and other forms not secure, they are going across regular protocols.
So any insight on how I can fix these two issues would be greatly appreciated as they are the two last things preventing me from being PCI compliant.
Server side issues are fixed.[/quote]
I think, this is a question for CS-Cart Support.
[quote name=‘russ1106’]The other one is the contact us and other forms not secure, they are going across regular protocols…[/QUOTE]
Secure it yourself in the edit forms section.
The cookie problem was posted in the Bug Tracker some time ago and it was confirmed, but no follow-up as to when it would be fixed.
Reference:
[URL=“http://forum.cs-cart.com/vbugs.php?do=view&vbug_id=954”]http://forum.cs-cart.com/vbugs.php?do=view&vbug_id=954[/URL]
Bob
[quote name=‘Tool Outfitters’]Secure it yourself in the edit forms section.[/QUOTE]
And where exactly is this as I goto addons / forms and the edit option is not available to click, its grayed out. Is there another place to go because I cant find it for the life of me.
[quote name=‘russ1106’]And where exactly is this as I goto addons / forms and the edit option is not available to click, its grayed out. Is there another place to go because I cant find it for the life of me.[/quote]
Search for… ‘secure form’
[url]http://forum.cs-cart.com/showthread.php?p=87962#post87962[/url]
Thanks guys and gals, after 15 minutes of searching through panel, I found it. 
I feel like a dope, but sometimes we all over look things even they seem simple enough for others. Things can be overlooked.
Thanks though, that will take care of a major issue, now I just need CS cart to fix that cookie issue and I will be golden.
This is definitely an issue. My store fails the McAfee scan also because of the sess_id in the cookie over clear-text. Bad…
Do the cookies contain sensitive information or just session ID’s? Are session ID’s considered sensitive information or can they be used by someone to obtain sensitive information? I would consider sensitive information as personal data including Credit card information, names, addressees, etc.
If all they contain is just tracking code, then maybe they don’t really impact PCI compliance.
Thanks,
Bob
Here is the scan specifics;
The remote host appears to have set a potentially sensitive persistent cookie across the internet in plain text.
An HTTP cookie is a piece of text-based data created by a website and sent to a web browser client and then sent back to the website without modification by the browser. The various uses for HTTP cookies include authentication, differentiation of users, maintaining data related to a user when they are viewing the website, maintaining a list of contents stored as when used by a shopping cart application, etc. In short, this is a way to identify a user by the computer they used to access the site as well as providing a way for the browser to keep the session in memory for subsequent visits as well as personalization based on the preference of a particular user. Using cookies allows browser and server to “maintain state”.
The cookie that was set by the server was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id’s, or passwords.
The potentially sensitive cookie that was also sent over a non-encrypted channel. Using secure protocols to transmit cookies normally ensures a safe method of transmission. By sending cookies over non-secure channels, the cookie the potential to be “sniffed” over network traffic. This has become a much larger issue when you take into account how many people today use wireless hot spots and public terminals.
The cookie was also persistent. Persistent cookies are saved to the clients machine in a text file format. By doing this, the cookie can be used at a later time, even after the browser has been closed. Once the expires tag (a directive sent along with the cookie) has been reached, the cookie is then deleted from the client. Attackers can view this saved cookies even after the users browser has been closed. With the amount of public terminals that are being used today, and the information that is saved in these cookies, an attacker can gain a lot of information about the users of these systems.
-----------
Regardless if it pertains only ID tokens or other information it still is a failure for PCI compliance and needs to be addressed.