Re: [PHP] PCI compliance issue
2009/6/2 Skip Evans
> Hey all,
>
> The original programmer created the following in the system's .htaccess
> file:
>
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule .* index.php
>
> ...which sends any incorrect URL to the home page, correct?
It rewrites any request for a non-existent file or directory to index.php.
The first url (http://www.ranghart.com/cgi-bin/?D=A) requests the cgi-bin
directory. Presumably this directory exists in some form which would prevent
your rewrite rule from firing, but access to the directory is denied - hence
the 403 FORBIDDEN.
The second url (http://www.ranghart.com/cgi-bin/%3fD=A) requests a file
called /cgi-bin/?D=A. This file genuinely doesn't exist so the url gets
rewritten to index.php - hence your 200 OK response.
-robin
RE: [PHP] PCI compliance issue
From: Skip Evans > -- > The reason why this issue is being flagged is simply that both > links should bring you to the same page but if look at the > HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it > returns a 403 forbidden even though it still takes you to the > main site page, with the other URL > (http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200 > OK when it is the same page as the URL that is returning a > 403. You will need to make sure that the pages are responding > in the same way to correct this issue. > - My first reaction is that there is a problem with the way your server is parsing the URLs. Because it responded differently to the encoded question mark than it did with the actual question mark, there may be a bug in that parser. Now whether that bug is exploitable is another matter and is not even questioned here. But its very existence is of concern when you are working with PCI. One other note I would make here. We believe that the PCI requirements were devised to protect the credit card companies from liability. They do very little to protect you or your employer. We treat them as only the minimum requirements for any site or product, whether it has to go through their certification process or not. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PCI compliance issue
On Tue, Jun 02, 2009 at 10:01:02AM -0500, Skip Evans wrote:
> Hey all,
>
> Some may remember my question awhile back about ensuring all
> CC forms are behind https. I've always put them so, but I've
> taken over maintenance on a site that did not and have since
> corrected the problem.
>
> Now the client is going for PCI compliance as a requirement by
> their credit card processor and we have been dealing with
> issues determined risks by Security Metrics, most which were
> legit (except one thinking IIS was running on a Linux
> server!), but this one has me scratching my head.
>
> The original programmer created the following in the system's
> .htaccess file:
>
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule .* index.php
>
> ...which sends any incorrect URL to the home page, correct?
> But Security Metrics, as part of their test ran two URLs
> through the system that while both displaying the home page
> had different things in the header, which they flagged as an
> issue. Here is there explanation below, but my question is,
> why is this considered a security risk, and what suggestions
> might some of you have to correct it?
>
> Thanks much!
> Skip
>
> --
> The reason why this issue is being flagged is simply that both
> links should bring you to the same page but if look at the
> HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it
> returns a 403 forbidden even though it still takes you to the
> main site page, with the other URL
> (http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200
> OK when it is the same page as the URL that is returning a
> 403. You will need to make sure that the pages are responding
> in the same way to correct this issue.
> -
I can't answer your question, but let me just sympathize. I'm a MOTO
merchant, meaning I never see an actual credit card. But I don't do any
credit card transactions online. It's all done with a little dialup
gizmo in my office. But I keep credit card numbers on one of our
servers, behind a firewall, blah blah blah. I just had to take a stupid
PCI compliance test comprising upwards of 200 questions. Not only that,
but I have to *pay* for the test and be penalized if I don't take it.
If I didn't have to take credit cards to stay in business, I'd tell the
credit card companies to go pound sand.
Paul
--
Paul M. Foster
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PCI compliance issue
Hey all,
Some may remember my question awhile back about ensuring all
CC forms are behind https. I've always put them so, but I've
taken over maintenance on a site that did not and have since
corrected the problem.
Now the client is going for PCI compliance as a requirement by
their credit card processor and we have been dealing with
issues determined risks by Security Metrics, most which were
legit (except one thinking IIS was running on a Linux
server!), but this one has me scratching my head.
The original programmer created the following in the system's
.htaccess file:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php
...which sends any incorrect URL to the home page, correct?
But Security Metrics, as part of their test ran two URLs
through the system that while both displaying the home page
had different things in the header, which they flagged as an
issue. Here is there explanation below, but my question is,
why is this considered a security risk, and what suggestions
might some of you have to correct it?
Thanks much!
Skip
--
The reason why this issue is being flagged is simply that both
links should bring you to the same page but if look at the
HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it
returns a 403 forbidden even though it still takes you to the
main site page, with the other URL
(http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200
OK when it is the same page as the URL that is returning a
403. You will need to make sure that the pages are responding
in the same way to correct this issue.
-
--
Skip Evans
Big Sky Penguin, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://bigskypenguin.com
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
