ubuntu 18.04. ispconfig 3.1.13 multiserver. we have a client who is trying to get PCI Compliance. he takes card payments using paypal, the checkout process redirects the user to paypals own site to take payments, no card details are stored on our server. due to this, I believe he is already PCI Compliant. he has been told however that he will be blocked from taking card payments unless his website is tested as fully PCI compliant. to this end, a security firm has been running compliance tests against one of our servers, and have come with a few issues on which it fails. (phpmyadmin version less than 4.8.3 etc. their ip getting blocked during port scanning etc. mostly easy fixes.) apart from one. our server fails pci compliance due to the jquery version. the full failure details are: JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS PCI COMPLIANCE STATUS PCI Severity Level: MED FAIL VULNERABILITY DETAILS CVSS Base Score: 4.3 ID 12707722 Category: CGI abuses: XSS CVE ID: CVE-2015-9251 THREAT: The remove web server is affected by a cross site scripting vulnerability. IMPACT: According to the self-reported version in the script, the version of JQuery hosted on the remote web server is 1.x prior to 1.12.0 or 2.x prior to 2.2.0. It is, therefore, affected by a cross site scripting vulnerability when using location.host to select elements. SOLUTION: Upgrade to JQuery version 1.12.0 or later. RESULT: URL: https://********:8080/js/jquery.min.js Installed version : 2.1.3 Fixed version : 2.2.0 so my question are how easy is it to change the jquery that ispconfig uses? what problems will it cause? and, assuming it won't cause massive problems, exactly how would i change it? would be nice to get the server verified as PCI compliant anyway, and if i can get it done, i can create an article on what changes had to be made after following the perfect server tutorials to achieve compliance, as i'm sure i'm not the only one who'd want that.
I guess you should be able to drop in a new version by replacing that file. ISPConfig does not use location.host to select elements, so it is not affected by that problem, but I will look into that to update the lib in the stable branch as well. That would be great!
when you say replace that file, do you mean literally download the latest version (http://code.jquery.com/jquery-2.2.4.min.js) rename it to jquery.min.js and overwrite the existing file in /usr/local/ispconfig/interface/web/js/ ? just want to make absolutely 100% sure, not messed about with jquery at all before and don't want to fubar my server.
Yes, that's what I would try. Just rename the old one and drop in the new one, if it does not work, then just copy the old one back. We don't use any fancy things from jquery, so I guess it should be ok to just drop in the newer version.
ok. I've done that, and everything looks ok so far, not noticed anything strange yet, no errors showing up. hopefully, the only remaining issue blocking PCI compliance is a weak sha-1 algo used to sign the Digicert_Global_Root_CA certificate. but can't seem to find a newer version of it. latest one I can find on their website is the same one installed on our server.
just to update on this, I believe the certificate issue is fixed now, but there was an issue with phpmyadmin XSS vulnerability in cgi scripts. even with the latest version 4.8.5, only shows up on port 80 and 443 though, not 8080, which is unexpected. since finding that though, i've made some changes that hopefully fix that, but I've been unable to get new scan reports though, I've requested several times but no reply, i'll keep trying. their best suggestion so far is remove phpmyadmin, which is not really a viable option. and other companies seem to have solved the issue, I know krystal hosting provide phpmyadmin and claim 100% pci compliance. I've also installed net2ftp on the server since the last scan, so hoping that doesn't create any new issues. still plan to create an article on it if I can actually get a response and confirm the servers pci compliance.
ok, I've finally got a report back for a new pci scan. phpmyadmin got the all clear, although i'd changed the path to /dbadmin, I've changed it back again now and am waiting to find out that /phpmyadmin isn't something they generally just reject. one thing still getting flagged up as a fail is the / folder being browsable on port 8081, which has the vhost conf below. now I've removed mod_php from apache anyway, so it those sections shouldn't matter, but to make sure, am I ok to change the lines: Options FollowSymLinks to Options +FollowSymLinks -Indexes and Options +Indexes +FollowSymLinks +MultiViews +ExecCGI AllowOverride AuthConfig Indexes Limit Options FileInfo to Options -Indexes +FollowSymLinks +MultiViews +ExecCGI AllowOverride AuthConfig Limit Options FileInfo obviously i'd need to change it by copying /usr/local/ispconfig/server/conf/apache_apps.vhost.master to ../conf-custom and editing that. just want to make sure that nothing anywhere else expects to be able to browse/list the folder and breaks if I make this change. Code: <IfModule mod_php5.c> DocumentRoot /var/www/apps AddType application/x-httpd-php .php <Directory /var/www/apps> Options FollowSymLinks AllowOverride None Require all granted </Directory> </IfModule> <IfModule mod_php7.c> DocumentRoot /var/www/apps AddType application/x-httpd-php .php <Directory /var/www/apps> Options FollowSymLinks AllowOverride None Require all granted </Directory> </IfModule> <IfModule mod_fcgid.c> DocumentRoot /var/www/apps SuexecUserGroup ispapps ispapps <Directory /var/www/apps> Options +Indexes +FollowSymLinks +MultiViews +ExecCGI AllowOverride AuthConfig Indexes Limit Options FileInfo <FilesMatch "\.php$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/apps/.php-fcgi-starter .php Require all granted </Directory> </IfModule>
just to update on this, our configuration is based on the ubuntu 18.04 perfect server tutorial. there are a number of changes applied beyond the tutorial, a lot of which are irrelevant to pci compliance, but some which do affect it. there are also still some issues. eg net2ftp will not pass pci compliance, so is disabled for now. and it seems that even the latest phpmyadmin 4.8.5 will fail when on /phpmyadmin, but passes when on eg /dbadmin. but the server has now successfully passed PCI compliance testing. i'll try to collate all the changes i made beyond the tutorials and then the changes to get it compliant and get it all together as an article over the next couple of days.
Hi, With paypal, you are using hosted payment page and in this case our infrastructure does't need PCi compliance. But your need your infrastructure and and software are up to date Best regards
