One of our clients has recently run into a problem with their scanning company, whereby a pre-existing vulnerability has been upgraded to a serious threat, which is causing Able to fail the PCI-DSS scan. Specifically, the vulnerability is with the ValidateRequest feature of ASP (see here, from 2008)
The scanning company has agreed with our diagnosis; there is no fix for this on a site running .NET 2/3/3.5 on Server 2003. They've therefore explained that they'll listen to the argument: Our site is not vulnerable because... And this is where I was hoping for some advice from an Able expert!
Any pointers from anyone? Anyone come across this since the acquiring bank who requested this flaw be upgraded to serious did so in March? The scanning company admits they're talking to a lot of angry customers because of this, so hopefully someone in the Able community has seen this.
PCI-DSS Security Vulnerability in .NET <all versions>
- Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: PCI-DSS Security Vulnerability in .NET <all versions>
AbleCommerce by default does not even use the validateRequest parameter. It interferes with the needs of our application so if you look in the web.config file, we have disabled it site wide. Instead we have server side validation and sanitize all user inputs - we never trust users to give us something that can be used directly. In reading the post from the company, it appears that the failure is triggered simply by seeing the HTTP runtime version in the response header. It would not be possible to have a website on < .NET 4 pass a scan no matter how it was coded. Something about that doesn't seem very helpful to me.
To fix the scan from the forum you linked, it appears you can make a change to the web.config to hide the http runtime version from the output. That would make the scan not trigger the vulnerability.
You could also upgrade to .NET 4 if it's a more recent version of AbleCommerce where support for that framework was enabled.
To fix the scan from the forum you linked, it appears you can make a change to the web.config to hide the http runtime version from the output. That would make the scan not trigger the vulnerability.
You could also upgrade to .NET 4 if it's a more recent version of AbleCommerce where support for that framework was enabled.
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
- Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: PCI-DSS Security Vulnerability in .NET <all versions>
AbleCommerce by default does not even use the validateRequest parameter. It interferes with the needs of our application so if you look in the web.config file, we have disabled it site wide. Instead we have server side validation and sanitize all user inputs - we never trust users to give us something that can be used directly. In reading the post from the company, it appears that the failure is triggered simply by seeing the HTTP runtime version in the response header. It would not be possible to have a website on < .NET 4 pass a scan no matter how it was coded. Something about that doesn't seem very helpful to me.
To fix the scan from the forum you linked, it appears you can make a change to the web.config to hide the http runtime version from the output. That would make the scan not trigger the vulnerability.
You could also upgrade to .NET 4 if it's a more recent version of AbleCommerce where support for that framework was enabled.
To fix the scan from the forum you linked, it appears you can make a change to the web.config to hide the http runtime version from the output. That would make the scan not trigger the vulnerability.
You could also upgrade to .NET 4 if it's a more recent version of AbleCommerce where support for that framework was enabled.
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
- jmestep
- AbleCommerce Angel
- Posts: 8164
- Joined: Sun Feb 29, 2004 8:04 pm
- Location: Dayton, OH
- Contact:
Re: PCI-DSS Security Vulnerability in .NET <all versions>
You can take out the runtime information in the header by changing the HTTP Reponse Header for you website in the IIS Manager.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
Re: PCI-DSS Security Vulnerability in .NET <all versions>
From our experience with different PCI scanning vendors we found that each vendor has its own definition of which vulnerability is
critical and which can be treated as a non-critical warning. Almost all scanning vendors use the same Nessus scanning templates for
scanning and then based on the output generate pci-dss scanning reports.
http://www.tenable.com/products/nessus/ ... t-overview
There are more than 150 pci scanning vendors - McAfee and Comodo Hackerguardian are the most popular. Some merchant providers and merchant banks have
re-seller agreements and require the pci scan to performed from a specific scanning vendor, so they can get additional commissions.
https://www.pcisecuritystandards.org/ap ... endors.php
If your client is not required to use specific scanning vendor they can just use a different scanning vendor and get the same configuration certified with no server side changes.
critical and which can be treated as a non-critical warning. Almost all scanning vendors use the same Nessus scanning templates for
scanning and then based on the output generate pci-dss scanning reports.
http://www.tenable.com/products/nessus/ ... t-overview
There are more than 150 pci scanning vendors - McAfee and Comodo Hackerguardian are the most popular. Some merchant providers and merchant banks have
re-seller agreements and require the pci scan to performed from a specific scanning vendor, so they can get additional commissions.
https://www.pcisecuritystandards.org/ap ... endors.php
If your client is not required to use specific scanning vendor they can just use a different scanning vendor and get the same configuration certified with no server side changes.
Dimi Goranov
Drundo Software Inc.
AbleCommerce Hosting and Management
Email: dgoranov@drundo.com
Ph: 888.464.2140
Drundo Software Inc.
AbleCommerce Hosting and Management
Email: dgoranov@drundo.com
Ph: 888.464.2140