myDBR Forums » General discussion

PCI compliance issues

(7 posts) (2 voices)

Tags:

No tags yet.

  1. labber, Member

    Hello, we're currently failing a PCI scan because of the issues below. I've added "Header always append X-Frame-Options SAMEORIGIN" to my Apache config but it does not appear in the response headers when visiting the site. I have no idea regarding the CSRF but if you feel it's a false positive could you please explain why so I may challenge it.

    Click Jacking

    Reference ID: http-generic-click-jacking
    Reference Type: nexpose
    Brief Description: Clickjacking, also known as a UI redress attack, is a method in which an
    attacker uses multiple transparent or opaque layers to trick a user into
    clicking a button or link on a page other than the one they believe they are
    clicking. Thus, the attacker is "hijacking" clicks meant for one page
    and routing the user to an illegitimate page.

    References:

    https://www.owasp.org/index.php/Clickjacking

    Evidence:

    Running HTTPS service

    HTTP response code was an expected 200

    HTTP request to

    https://reports.primetimesolutions.net/index.php?a=login

    HTTP header 'X-Frame-Options' not present

    HTTP header 'X-Frame-Options' not present

    Status: vulnerable-exploited

    Unauthenticated Form Is Vulnerable To CSRF

    Reference ID: spider-unauthenticated-form-csrf-vuln
    Reference Type: nexpose
    Brief Description: Cross-site request forgery vulnerabilities in unathenticated forms can enable
    attacks such as login CSRF and distributed DoS attacks.

    This is a flaw under the category A5 in the OWASP Top Ten.

    References:

    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Preventio
    n_Cheat_Sheet

    Evidence:

    Vulnerable form myform found at:

    https://reports.primetimesolutions.net/login.php

    Status: potential

  2. myDBR Team, Key Master

    Hi,
    you should check your apache configuration. The "Header always append X-Frame-Options SAMEORIGIN" should give you the header option. In your site it seems to be present when accessing the login.php page, but not the actual login page. You can also set the header in .htaccess if you like (or in defaults.php in newer myDBR builds).

    The CSRF warning seems to be caused by the extra JavaScript (related to newrelic.com) that your server is adding to myDBR page. This is not myDBR code, but external code included by your own web server.

    --
    myDBR Team

  3. labber, Member

    The CSRF issue shows the form "myform" as evidence of the issue. When I go to that page it is a MyDBR form.

    <form id="myform" action="index.php?a=login" method="post"> <p> mydbr <input type="hidden" name="app" value="login" id="appid">

    <input type="submit" value="Continue with login →"> </p> </form>

    Can I just remove the login.php file or is it used somewhere?

  4. labber, Member

    Also can you let me know what I'd have to add to the defaults.php file to have it pass that in the head. Also is there anyway to have to set httponly and secure for the cookie to be true?

  5. myDBR Team, Key Master

    Hi,
    the file is actually just a static HTML and actually used just with old myDBR versions. If you want to be sure, you can change the file to contain following code:

    <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>myDBR login</title> </head> <body> <p> <ahref="index.php">Not done yet? </p> </body> </html>

    (change "ahref" to read "a href" as the forum is eager to interpret HTML).

    We'll incldue the change in the next build.

  6. labber, Member

    Can you also help me with the other question.

    Also can you let me know what I'd have to add to the defaults.php file to have it pass that in the head. Also is there anyway to have to set httponly and secure for the cookie to be true?

  7. myDBR Team, Key Master

    Also can you let me know what I'd have to add to the defaults.php file to have it pass that in the head.

    mydbr/user/defaults.php is a file that is used to override the default distribution definitions in mydbr/defaults.php which is overridden in updates.

    If you update to recent build, you will find an array "header_cache" defined. You can override this in mydbr/user/defaults.php an add 'X-Frame-Options: SAMEORIGIN' into the array (redefine the array with added header).

    The best place to put this definition is in the web server confuguration flle. You can also create a .htaccess file (if not present in top level of myDBR and add following lines to it:

    <ifModule mod_headers.c>
    
Header always append X-Frame-Options SAMEORIGIN
    
</ifModule>

    Also is there anyway to have to set httponly and secure for the cookie to be true?

    Run the updater to get he latest build. It has httponly on by default. If you want to have secure only cookies add following line to mydbr/user/defaults.php.

    $mydbr_defaults['cookie']['secure_only'] = true;

    (Note that it is usually just simpler to allow only HTTPS connections)

    --
    myDBR Team


Reply

You must log in to post.