Another PBAS PCI compliance fail

Discussion in 'Troubleshooting' started by jacko@, Oct 13, 2009.

  1. jacko@

    jacko@ Mega Poster

    Messages:
    136
    Hello,

    It looks like PBAS also fails various XSS PCI tests... it's complaining about:

    /store/sign_in.php
    /store/plans.php
    /store/sign_in.php/images/sign_in.php

    It's also complaining about Full Path Disclosure, however, that maybe a false positive.

    jacko
     
  2. jacko@

    jacko@ Mega Poster

    Messages:
    136
    I thought that the latest update had some PCI fixes? It seems that after the update we've had the PCI problems, which, otherwise were fine.

    jacko
     
  3. jacko@

    jacko@ Mega Poster

    Messages:
    136
    Wonder if these in the release notes were meant to address this:

    3225 (267935) PBAS PCI Compliance. Web Application Cross Site Scripting issue has been corrected in the default online store.
    3634 Configure PBAS for the PCI Compleance.
     
  4. jacko@

    jacko@ Mega Poster

    Messages:
    136
    This issue is still ongoing even after talking to Parallels support team.
     
  5. jacko@

    jacko@ Mega Poster

    Messages:
    136
    Support team found 2 additional bugs on Wed 04/11/2009, but, no update since. PBAS is still not PCI compliant.
     
  6. dkolvakh

    dkolvakh Odin Team

    Messages:
    360
    jacko@, default PBAS Online Store is now PCI compliant. KB article http://kb.odin.com/en/6228 will be updated soon with latest fixes.
    Also, all changes which affects PCI compliant will be in PBAS 3.3.3-hf8. ETA of hf8 is beginning of 2010.
     
  7. jacko@

    jacko@ Mega Poster

    Messages:
    136
    Sorry to say, but, there is now a new PCI fail. ResponseSplitting

    The failure occurs in the store/index.php file.

    You can replicate with something like this (port 443)

    Path /store/index.php
    Query action=view_all_products
    type_id=%20%0d%0AContent-Type%3A%20text/html%0d%0aMcafee%3A%20ResponseSplitting%0d%0AContent-Type%3A%20text/html

    I'll check my old emails to see if I have your email address and send the report to you.

    Thanks,
    jacko
     
  8. dkolvakh

    dkolvakh Odin Team

    Messages:
    360
    jacko@, I've sent you my email, please send me back your PCI scan results. Thank you in advance, this will help us a lot.
     
  9. jacko@

    jacko@ Mega Poster

    Messages:
    136
    Hello,

    I didn't receive your email for some reason. We last spoke in ticket #791530 ... perhaps you can re-open and I will send report there. Alternatively I can send to your hotmail address if you use it.

    jacko
     
  10. jacko@

    jacko@ Mega Poster

    Messages:
    136
    Not heard anything back... what do you suggest we do? Who can we send this to.
     
  11. jacko@

    jacko@ Mega Poster

    Messages:
    136
    PBAS is not PCI compliant and therefor useless for processing online payments. This is unfortuante as I am sure many prospective customers would want that functionality.
     
  12. dkolvakh

    dkolvakh Odin Team

    Messages:
    360
    Sorry for delay in answer.
    jacko@, I sent my email via personal message system on this forum, you can see it there: http://forum.parallels.com/private.php?s=&pp=&folderid=0

    By the way, you can create a new ticket in Parallels Support.
     

Share This Page