Re: [PHP] PCI compliance issue
2009/6/2 Skip Evans > Hey all, > > The original programmer created the following in the system's .htaccess > file: > > RewriteCond %{REQUEST_FILENAME} !-f > RewriteCond %{REQUEST_FILENAME} !-d > RewriteRule .* index.php > > ...which sends any incorrect URL to the home page, correct? It rewrites any request for a non-existent file or directory to index.php. The first url (http://www.ranghart.com/cgi-bin/?D=A) requests the cgi-bin directory. Presumably this directory exists in some form which would prevent your rewrite rule from firing, but access to the directory is denied - hence the 403 FORBIDDEN. The second url (http://www.ranghart.com/cgi-bin/%3fD=A) requests a file called /cgi-bin/?D=A. This file genuinely doesn't exist so the url gets rewritten to index.php - hence your 200 OK response. -robin
RE: [PHP] PCI compliance issue
From: Skip Evans > -- > The reason why this issue is being flagged is simply that both > links should bring you to the same page but if look at the > HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it > returns a 403 forbidden even though it still takes you to the > main site page, with the other URL > (http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200 > OK when it is the same page as the URL that is returning a > 403. You will need to make sure that the pages are responding > in the same way to correct this issue. > - My first reaction is that there is a problem with the way your server is parsing the URLs. Because it responded differently to the encoded question mark than it did with the actual question mark, there may be a bug in that parser. Now whether that bug is exploitable is another matter and is not even questioned here. But its very existence is of concern when you are working with PCI. One other note I would make here. We believe that the PCI requirements were devised to protect the credit card companies from liability. They do very little to protect you or your employer. We treat them as only the minimum requirements for any site or product, whether it has to go through their certification process or not. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PCI compliance issue
On Tue, Jun 02, 2009 at 10:01:02AM -0500, Skip Evans wrote: > Hey all, > > Some may remember my question awhile back about ensuring all > CC forms are behind https. I've always put them so, but I've > taken over maintenance on a site that did not and have since > corrected the problem. > > Now the client is going for PCI compliance as a requirement by > their credit card processor and we have been dealing with > issues determined risks by Security Metrics, most which were > legit (except one thinking IIS was running on a Linux > server!), but this one has me scratching my head. > > The original programmer created the following in the system's > .htaccess file: > > RewriteCond %{REQUEST_FILENAME} !-f > RewriteCond %{REQUEST_FILENAME} !-d > RewriteRule .* index.php > > ...which sends any incorrect URL to the home page, correct? > But Security Metrics, as part of their test ran two URLs > through the system that while both displaying the home page > had different things in the header, which they flagged as an > issue. Here is there explanation below, but my question is, > why is this considered a security risk, and what suggestions > might some of you have to correct it? > > Thanks much! > Skip > > -- > The reason why this issue is being flagged is simply that both > links should bring you to the same page but if look at the > HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it > returns a 403 forbidden even though it still takes you to the > main site page, with the other URL > (http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200 > OK when it is the same page as the URL that is returning a > 403. You will need to make sure that the pages are responding > in the same way to correct this issue. > - I can't answer your question, but let me just sympathize. I'm a MOTO merchant, meaning I never see an actual credit card. But I don't do any credit card transactions online. It's all done with a little dialup gizmo in my office. But I keep credit card numbers on one of our servers, behind a firewall, blah blah blah. I just had to take a stupid PCI compliance test comprising upwards of 200 questions. Not only that, but I have to *pay* for the test and be penalized if I don't take it. If I didn't have to take credit cards to stay in business, I'd tell the credit card companies to go pound sand. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PCI compliance issue
Hey all, Some may remember my question awhile back about ensuring all CC forms are behind https. I've always put them so, but I've taken over maintenance on a site that did not and have since corrected the problem. Now the client is going for PCI compliance as a requirement by their credit card processor and we have been dealing with issues determined risks by Security Metrics, most which were legit (except one thinking IIS was running on a Linux server!), but this one has me scratching my head. The original programmer created the following in the system's .htaccess file: RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule .* index.php ...which sends any incorrect URL to the home page, correct? But Security Metrics, as part of their test ran two URLs through the system that while both displaying the home page had different things in the header, which they flagged as an issue. Here is there explanation below, but my question is, why is this considered a security risk, and what suggestions might some of you have to correct it? Thanks much! Skip -- The reason why this issue is being flagged is simply that both links should bring you to the same page but if look at the HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it returns a 403 forbidden even though it still takes you to the main site page, with the other URL (http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200 OK when it is the same page as the URL that is returning a 403. You will need to make sure that the pages are responding in the same way to correct this issue. - -- Skip Evans Big Sky Penguin, LLC 503 S Baldwin St, #1 Madison WI 53703 608.250.2720 http://bigskypenguin.com Those of you who believe in telekinesis, raise my hand. -- Kurt Vonnegut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php