Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Need help to pass pci scan

[tegralens]

This is the scan that I failed that I need to pass. I am running centos 5.2 but I dont know much linux so please be patient.
It looks like some of these i need to update but dont know how. If someone can explain. The first one I think i dont need because i dont use ezpublish. Thanks everyone.


1.The remote web server is running an application that is vulnerable to a cross site scripting attack. Risk: High TCP Port: 80
The remote host is using ezPublish, a content management system.

There is a flaw in the remote ezPublish which lets an attacker
perform a cross site scripting attack. An attacker may use this
flaw to steal the cookies of your legitimate users.
Solution:
Upgrade to ezPublish 3



2. The remote web server is running an application that is vulnerable to a cross site scripting attack. Risk: High TCP Port: 443
The remote host is using ezPublish, a content management system.

There is a flaw in the remote ezPublish which lets an attacker
perform a cross site scripting attack. An attacker may use this
flaw to steal the cookies of your legitimate users.

Solution:
Upgrade to ezPublish 3




3. The remote name server is affected by a signature validation weakness. Risk: High UDP Port: 53
According to its version number, the remote installation of BIND does
not properly check the return value from the OpenSSL library functions
'EVP_VerifyFinal()' and 'DSA_do_verify()'. A remote attacker may be
able to exploit this weakness to spoof answers returned from zones for
signature checks on DSA and ECDSA keys used with SSL / TLS.

BIND 9.3.4-P1 appears to be installed on the remote host.

Solution:
Upgrade to BIND 9.3.6-P1 / 9.4.3-P1 / 9.5.1-P1 / 9.6.0-P1 or later.




4. The remote database server is affected by multiple vulnerabilities. Risk: High TCP Port: 3306
The version of MySQL 5.0 installed on the remote host is earlier than
5.0.88 and thus potentially affected by the following
vulnerabilities :

- MySQL clients linked against OpenSSL are vulnerable
to man-in-the-middle attacks. (Bug #47320)

- The GeomFromWKB() function can be manipulated
to cause a denial of service. (Bug #47780)

- Specially crafted SELECT statements containing sub-
queries in the WHERE clause can cause the server
to crash. (Bug #48291)

Installed version : 5.0.81-community
Fixed version : 5.0.88

Solution:
Upgrade to MySQL 5.0.88 or later.

[neil]

It sounds like for the most part your software is just out of date. Assuming you used yum to install bind, apache, mysql you can could probably just do

Code:

yum update

and update the entire system, including the software that's out of date and vulnerable.

I will say as nicely as I can, if you are trying to pass a pci scan because you want to process credit cards in some manner: you shouldn't. You've said yourself - you have minimal linux knowledge, you have no business attempting to administer a machine that needs to pass pci. I urge you, kindly, to consider hiring a sys admin or a management company.

[tegralens]

Quote:

Originally Posted by neil

It sounds like for the most part your software is just out of date. Assuming you used yum to install bind, apache, mysql you can could probably just do

Code:

yum update

and update the entire system, including the software that's out of date and vulnerable.

I will say as nicely as I can, if you are trying to pass a pci scan because you want to process credit cards in some manner: you shouldn't. You've said yourself - you have minimal linux knowledge, you have no business attempting to administer a machine that needs to pass pci. I urge you, kindly, to consider hiring a sys admin or a management company.

Can I use yum update but for those specific programs that need updating. I want to learn and not have someone do it for me. I did make a backup of my vps incase I did something wrong.

[zendzipr]

Quote:

Originally Posted by tegralens

Can I use yum update but for those specific programs that need updating.

Short answer is yes and no. For software managed by package repository, you can but not for ezPublish. You will need to download and install the latest version of ezPublish which is currently at v4.

Just a FYI, PCI requires known vulnerabilities to be corrected within 30 days of a patch release. It may be a good idea while you are learning some admin skills to take a look at what applications, scripts, programs, etc you have on your server and see if they have any known vulnerabilities. A good place to get vulnerability details is at http://secunia.com/advisories/

[neil]

You could just do

Code:

yum update httpd

[tegralens]

zendzipr

I dont even use ezpublish so I think that can be removed.

neil

will that update all the programs I mentioned ?

[zendzipr]

Quote:

Originally Posted by tegralens

will that update all the programs I mentioned ?

It should. Also, I would recommend closing all unneeded ports such as 3306 and 53. That will fix the problem while you are figuring out the update situation. You should never had 3306 open to the internet and if you are not acting as a DNS server, 53 is not needed.

on a side note, if you are dealing with credit card payments, you need to move your sql server to a different server and network. Welcome to PCI.

[tegralens]

Quote:

Originally Posted by zendzipr

It should. Also, I would recommend closing all unneeded ports such as 3306 and 53. That will fix the problem while you are figuring out the update situation. You should never had 3306 open to the internet and if you are not acting as a DNS server, 53 is not needed.

on a side note, if you are dealing with credit card payments, you need to move your sql server to a different server and network. Welcome to PCI.

But I use 3306 to connect from my home. Which I thought it was set to only allow my ip address to remote in but I guess its not setup like that. And I do believe it is acting as a dns server. now I use paypal pro to do the credit card payments so maybe i dont need to move sql to a different server and network.

[zendzipr]

Quote:

Originally Posted by tegralens

But I use 3306 to connect from my home.

Still stick by my recommendation. Close 3306. Bypassing security for convenience is not recommended.

Quote:

Originally Posted by tegralens

And I do believe it is acting as a dns server.

Recommend you move your DNS to another server that does not deal with your payment process.

Quote:

Originally Posted by tegralens

now I use paypal pro to do the credit card payments so maybe i dont need to move sql to a different server and network.

Which SAQ are you filling out?

[tegralens]

If I close 3306 how can i remote into mysql ?
From control scan is there a specific one ?

[zendzipr]

Quote:

Originally Posted by tegralens

If I close 3306 how can i remote into mysql ?
From control scan is there a specific one ?

You won't be able to remote administer. You will need to do via the command line.

[tegralens]

cant that be blocked to a specify ip address ?

[zendzipr]

Quote:

Originally Posted by tegralens

cant that be blocked to a specify ip address ?

Would not recommend it. IP's can be spoofed.

Which SAQ are you filling out?

[tegralens]

i think its C but still verifying

[zendzipr]

Quote:

Originally Posted by tegralens

cant that be blocked to a specify ip address ?

An alternate method that is secure and will allow you to remote administer is to log in with SSH and use port forwarding.