Hello all,
Have a bit of a tickler here, we are getting ready to have a security audit run against our servers, this scan uses a product called Tenable which a sister agency to ours will use to scan our servers. In preparation for this scan I’ve installed and scanned these servers with OpenVAS, which thankfully has identified only a few minor issues with our fully patched SLES11SP3 servers. The biggest issue that is being reported back is the following:
Summary
We detected a vulnerable version of the DCShop CGI. This version does not properly protect user and credit card information. It is possible to access files that contain administrative passwords, current and pending transactions and credit card information (along with name, address, etc).
Vulnerability Detection Result
The following files are affected:
DCShop orders file: /?q=user/register/Orders/orders.txt
DCShop orders file: /?q=user/register/orders/orders.txt
DCShop authentication file: /?q=user/register/Auth_data/auth_user_file.txt
DCShop authentication file: /?q=user/register/auth_data/auth_user_file.txt
The problem is… we don’t have DCShop installed. In fact the cgi-bin directory on the server contains exactly three files:
infol2html, info2html.conf and infocat
My google-fu led me to a few (very few) web sites which suggested making massive modifications to the DCShop installation, which cannot be done because again the server doesn’t have this installed. One tip suggested that the ‘everyone’ group had full access to the cgi-bin folder, default permissions on the cgi-bin folder are 755, I’ve changed that to 754 and 750 with zero impact on the above error during OpenVAS scans.
Can anyone shed any light on this for me? I’m pretty sure that reporting to the scanning agency that ‘oh yea that’s a bug in the scan we don’t use DCShop’ is going to result in a big fat fail at this station.
Appreciate the thoughts / suggestions.
On 18/05/2016 21:24, amginenigma wrote:
[color=blue]
Have a bit of a tickler here, we are getting ready to have a security
audit run against our servers, this scan uses a product called Tenable
which a sister agency to ours will use to scan our servers. In
preparation for this scan I’ve installed and scanned these servers with
OpenVAS, which thankfully has identified only a few minor issues with
our fully patched SLES11SP3 servers.[/color]
Whilst you may have fully patched SLES11 SP3 servers if you are worried
about security you should upgrade those to SLES11 SP4 as SP3 is now out
of support (though you may still be receiving some patches).
[color=blue]
The biggest issue that is being
reported back is the following:
Summary
We detected a vulnerable version of the DCShop CGI. This version does
not properly protect user and credit card information. It is possible to
access files that contain administrative passwords, current and pending
transactions and credit card information (along with name, address,
etc).
Vulnerability Detection Result
The following files are affected:
DCShop orders file: /?q=user/register/Orders/orders.txt
DCShop orders file: /?q=user/register/orders/orders.txt
DCShop authentication file:
/?q=user/register/Auth_data/auth_user_file.txt
DCShop authentication file:
/?q=user/register/auth_data/auth_user_file.txt
The problem is… we don’t have DCShop installed. In fact the cgi-bin
directory on the server contains exactly three files:
infol2html, info2html.conf and infocat
My google-fu led me to a few (very few) web sites which suggested making
massive modifications to the DCShop installation, which cannot be done
because again the server doesn’t have this installed. One tip suggested
that the ‘everyone’ group had full access to the cgi-bin folder, default
permissions on the cgi-bin folder are 755, I’ve changed that to 754 and
750 with zero impact on the above error during OpenVAS scans.
Can anyone shed any light on this for me? I’m pretty sure that
reporting to the scanning agency that ‘oh yea that’s a bug in the scan
we don’t use DCShop’ is going to result in a big fat fail at this
station.
Appreciate the thoughts / suggestions.[/color]
Looking at the OpenVAS plug-in suggests that it has found DCShop
installed so could it be that you have virtual servers and/or
alternative cgi-bin directories called from additional .conf files?
HTH.
Simon
SUSE Knowledge Partner