Save 
Join IIUG
 for   
 

Informix News
18 Nov 13 - ZDNet - Top 20 mobile skills in demand... Read
09 Sep 13 - telecompaper - Shaspa and Tatung have shown a new smart home platform at Ifa in Berlin. Powered by the IBM Informix software... Read
06 Sep 13 - IBM data magazine - Mission Accomplished - Miami, Florida will be the backdrop for the 2014 IIUG Informix Conference... Read
01 Feb 13 - IBM Data Magazine - Are your database backups safe? Lester Knutsen (IBM Champion) writes about database back up safety using "archecker"... Read
14 Nov 12 - IBM - IBM's Big Data For Smart Grid Goes Live In Texas... Read
3 Oct 12 - The Financial - IBM and TransWorks Collaborate to Help Louisiana-Pacific Corporation Achieve Supply Chain Efficiency... Read
28 Aug 12 - techCLOUD9 - Splunk kicks up a SaaS Storm... Read
10 Aug 12 - businessCLOUD9 - Is this the other half of Cloud monitoring?... Read
3 Aug 12 - IBM data management - Supercharging the data warehouse while keeping costs down IBM Informix Warehouse Accelerator (IWA) delivers superior performance for in-memory analytics processing... Read
2 Aug 12 - channelbiz - Oninit Group launches Pay Per Pulse cloud-based service... Read
28 May 12 - Bloor - David Norfolk on the recent Informix benchmark "pretty impressive results"... Read
23 May 12 - DBTA - Informix Genero: A Way to Modernize Informix 4GL Applications... Read
9 Apr 12 - Mastering Data Management - Upping the Informix Ante: Advanced Data Tools... Read
22 Mar 12 - developerWorks - Optimizing Informix database access... Read
14 Mar 12 - BernieSpang.com - International Informix User Group set to meet in San Diego... Read
1 Mar 12 - IBM Data Management - IIUG Heads West for 2012 - Get ready for sun and sand in San Diego... Read
1 Mar 12 - IBM Data Management - Running Informix on Solid-State Drives.Speed Up Database Access... Read
26 Feb 12 - BernieSpan.com - Better results, lower cost for a broad set of new IBM clients and partners... Read
24 Feb 12 - developerWorks - Informix Warehouse Accelerator: Continuous Acceleration during Data Refresh... Read
6 Feb 12 - PRLOG - Informix port delivers unlimited database scalability for popular SaaS application ... Read
2 Feb 12 - developerWorks - Loading data with the IBM Informix TimeSeries Plug-in for Data Studio... Read
1 Feb 12 - developerWorks - 100 Tech Tips, #47: Log-in to Fix Central... Read
13 Jan 12 - MC Press online - Informix Dynamic Server Entices New Users with Free Production Edition ... Read
11 Jan 12 - Computerworld - Ecologic Analytics and Landis+Gyr -- Suitors Decide to Tie the Knot... Read
9 Jan 12 - planetIDS.com - DNS impact on Informix / Impacto do DNS no Informix... Read
8 Sep 11 - TMCnet.com - IBM Offers Database Solution to Enable Smart Meter Data Capture... Read
1 Aug 11 - IBM Data Management Magazine - IIUG user view: Happy 10th anniversary to IBM and Informix... Read
8 Jul 11 - Database Trends and Applications - Managing Time Series Data with Informix... Read
31 May 11 - Smart Grid - The meter data management pitfall utilities are overlooking... Read
27 May 11 - IBM Data Management Magazine - IIUG user view: Big data, big time ( Series data, warehouse acceleration, and 4GLs )... Read
16 May 11 - Business Wire - HiT Software Announces DBMoto for Enterprise Integration, Adds Informix. Log-based Change Data Capture... Read
21 Mar 11 - Yahoo! Finance - IBM and Cable&Wireless Worldwide Announce UK Smart Energy Cloud... Read
14 Mar 11 - MarketWatch - Fuzzy Logix and IBM Unveil In-Database Analytics for IBM Informix... Read
11 Mar 11 - InvestorPlace - It's Time to Give IBM Props: How many tech stocks are up 53% since the dot-com boom?... Read
9 Mar 11 - DBTA - Database Administration and the Goal of Diminishing Downtime... Read
2 Feb 11 - DBTAs - Informix 11.7 Flexible Grid Provides a Different Way of Looking at Database Servers... Read
27 Jan 11 - exactsolutions - Exact to Add Informix Support to Database Replay, SQL Monitoring Solutions... Read
25 Jan 11 - PR Newswire - Bank of China in the UK Works With IBM to Become a Smarter, Greener Bank... Read
12 Oct 10 - Database Trends and Applications - Informix 11.7: The Beginning of the Next Decade of IBM Informix... Read
20 Sep 10 - planetIDS.com - ITG analyst paper: Cost/Benefit case for IBM Informix as compared to Microsoft SQL Server... Read
20 Jul 10 - IBM Announcements - IBM Informix Choice Edition V11.50 helps deploy low-cost scalable and reliable solutions for Apple Macintosh and Microsoft Windows... Read
20 Jul 10 - IBM Announcements - Software withdrawal: Elite Support for Informix Ultimate-C Edition... Read
24 May 10 - eWeek Europe - IBM Supplies Database Tech For EU Smart Grid... Read
23 May 10 - SiliconIndia - IBM's smart metering system allows wise use of energy... Read
21 May 10 - CNET - IBM to help people monitor energy use... Read
20 May 10 - ebiz - IBM Teams With Hildebrand To Bring Smart Metering To Homes Across Britain... Read
19 May 10 - The New Blog Times - Misurare il consumo energetico: DEHEMS è pronto... Read
19 May 10 - ZDNet - IBM software in your home? Pact enables five-city smart meter pilot in Europe... Read
17 March 10 - ZDNet (blog) David Morgenstern - TCO: New research finds Macs in the enterprise easier, cheaper to manage than... Read
17 March 2010 - Virtualization Review - ...key components of Big Blue's platform to the commercial cloud such as its WebSphere suite of application ser vers and its DB2 and Informix databases... Read
10 February 2010 - The Wall Street Journal - International Business Machines is expanding an initiative to win over students and professors on its products. How do they lure the college crowd?... Read


End of Support Dates

IIUG on Facebook IIUG on Twitter

[ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

Open Admin Tool

RE: OAT Fails PCI Audit [414] [415]

Posted By: John Chauvin
Date: Wednesday, 21 July 2010, at 8:15 a.m.

There are several points that failed.
Here are some of them that I gleaned from the report its quite long.
I would be willing to send the full report to someone on the OAT
development team.

Web Server Uses Plain-Text Form Based Authentication port 8080/tcp
QID: 86728 CVSS Base: - PCI FAILED
Category: Web server CVSS Temporal: -
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 05/21/2009
User Modified: -
Edited: No
THREAT:
The Web server uses plain-text form based authentication. A web page
exists on the target host which uses an HTML login form. This data is
sent
from the client to the server in plain-text.
IMPACT:
An attacker with access to the network traffic to and from the target
host may be able to obtain login credentials for other users by sniffing
the
network traffic.
SOLUTION:
Please contact the vendor of the hardware/software for a possible fix
for the issue. For custom applications, ensure that data sent via HTML
login
forms is encrypted before being sent from the client to the host.
COMPLIANCE:
Not Applicable
RESULTS:
GET /openadmin/ HTTP/1.1
Host: 10.42.145.85:8080
Connection: Keep-Alive
<form name="login" action="index.php?act=login&do=dologin"
method="post">
<table width="100%" border="0">
<tr>
<td>
<input type='radio' class='radiobutton' name='login_admin' value='Login'
checked >Login
<input type='radio' class='radiobutton' name='login_admin' value='Admin'
onClick='redirectToAdmin()'>Admin
</td>
<td>
<script type="text/javascript">
function popAboutOAT()
{
w = window.open( 'index.php?act=help&do=aboutOAT','About
OAT','width=450,height=300,resizable=yes,scrollbars=yes');
w.focus();
}
</script>
<div align="right">
*
<a href="javascript:popAboutOAT()">About OAT</a>
*
<a href="javascript:showDocuments('README.html','readme'); "
title="Readme">Readme</a>
*
<a href="javascript:showDocuments('HOWTO.html','HowDoI'); " title="How
Do I?">How Do I?</a>
*
</div>
</td>
</tr>
</table>
<table width="100%" border="0">
<tr>
<td width="35%" valign="top" colspan="2">
<script type ="text/javascript">
function resetLoginForm()
{
document.login.informixserver.value = '';
document.login.host.value = '';
document.login.port.value = '';
document.login.username.value = '';
document.login.userpass.value = '';
document.login.idsprotocol.value = 'onsoctcp';
}
function connectgroup()
{
var group_num =
document.login.groups.options[document.login.groups.selectedIndex].value
;
var group_pass = document.login.grouppass.value;
if (window.XMLHttpRequest) {
request = new XMLHttpRequest();
if (request.overrideMimeType) {
request.overrideMimeType('text/html');
}
} else if (window.ActiveXObject) { // IE
try {
request = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {}
}
}
request.open("POST", "index.php?act=login&do=connectgroup&group_num=" +
group_num + "&group_pass=" + escape(group_pass));
requ

Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting
Weakness port 8080/tcp
QID: 86771 CVSS Base: 4.3 PCI FAILED
Category: Web server CVSS Temporal: 3.5
CVE ID: CVE-2007-6203
Vendor Reference: -
Bugtraq ID: 26663
Service Modified: 11/21/2008
User Modified: -
Edited: No
THREAT:
Apache HTTP servers are prone to a cross-site scripting weakness.
The issue occurs when the application fails to sanitize a specially
crafted HTTP request method that results in a 413 HTTP error. 413 errors
occur
when a request entity's data-stream is too large for the server to
handle. When a 413 error is encountered, the server returns a page
describing what
happened.
When the error page is displayed, attacker script code will be rendered
on the Web page in the context of the application.
IMPACT:
An attacker may exploit this issue to steal cookie-based authentication
credentials and launch other attacks. The link below has more
information on
the attack:
http://www.securityfocus.com/archive/1/archive/1/484410/100/0/threaded
(http://www.securityfocus.com/archive/1/archive/1/484410/100/0/threaded)

Web Server HTTP Trace/Track Method Support Cross-Site Tracing
Vulnerability port 8080/tcp
QID: 86473 CVSS Base: 5.8 PCI FAILED
Category: Web server CVSS Temporal: 4.3
CVE ID: CVE-2004-2320, CVE-2007-3008
Vendor Reference: -
Bugtraq ID: -
Service Modified: 11/19/2008
Payment Card Industry (PCI) Technical Report page 14
User Modified: -
Edited: No
THREAT:
A Web server was detected that supports the HTTP TRACE method. This
method allows debugging and connection trace analysis for connections
from the client to the Web server. Per the HTTP specification, when this
method is used, the Web server echoes back the information sent to it by
the client unmodified and unfiltered. Microsoft IIS web server uses an
alias TRACK for this method, and is functionally the same.
A vulnerability related to this method was discovered. A malicious,
active component in a Web page can send Trace requests to a Web server
that
supports this Trace method. Usually, browser security disallows access
to Web sites outside of the present site's domain. Although unlikely and
difficult to achieve, it's possible, in the presence of other browser
vulnerabilities, for the active HTML content to make external requests
to arbitrary
Web servers beyond the hosting Web server. Since the chosen Web server
then echoes back the client request unfiltered, the response also
includes cookie-based or Web-based (if logged on) authentication
credentials that the browser automatically sent to the specified Web
application on
the specified Web server.
The significance of the Trace capability in this vulnerability is that
the active component in the page visited by the victim user has no
direct access to
this authentication information, but gets it after the target Web server
echoes it back as its Trace response.
Since this vulnerability exists as a support for a method required by
the HTTP protocol specification, most common Web servers are vulnerable.
The exact method(s) supported, Trace and/or Track, and their responses
are in the Results section below.
IMPACT:
If this vulnerability is successfully exploited, users of the Web server
may lose their authentication credentials for the server and/or for the
Web
applications hosted by the server to an attacker. This may be the case
even if the Web applications are not vulnerable to cross site scripting
attacks
due to input validation errors.

John A. Chauvin

> -----Original Message-----
> From: oat-bounces@iiug.org [mailto:oat-bounces@iiug.org] On Behalf Of
> Fernando Nunes
> Sent: Tuesday, July 20, 2010 16:41
> To: oat@iiug.org
> Subject: Re: [Oat] OAT Fails PCI Audit [414] [415]
>
> What exactly did it fail to pass? PCI is too generic to specify
versions of
> whatever software is used. It merely specifies more or less generic
> guidelines (some regarding processes, other related to encryption
etc.).
> My point is: Will a mere update get it through _that_ PCI audit? What
of the
> PCI points did it fail? What concerns were raised?
>
> OAT can use a separate Apache and PHP installation (although it's
harder to
> setup like that). But I have some doubts that the issues were merely
with
> the versions used...
>
> Regards.
>
> On Tue, Jul 20, 2010 at 8:24 PM, JOHN A. CHAUVIN
> <john.chauvin@mediware.com>wrote:
>
> > We recently installed IDS 11.50 with OAT 2.27 at a client site.
During this
> > they do a PCI Audit on all servers and found that the Apache and PHP
used
> > by
> > OAT Fails the Audit.
> > Has anyone else see this?
> > Is there a way to update this so it will pass?
> > Is there any plans to make OAT use a more current version of Apache
and/or
> > PHP
> > so that it will pass security audits?
> > Or Secure it out of the box?
> >
> >
> >
> >
>
************************************************************************
*******
> > Forum Note: Use "Reply" to post a response in the discussion forum.
> >
> >
>
> --
> Fernando Nunes
> Portugal
>
> http://informix-technology.blogspot.com
> My email works... but I don't check it frequently...
>
> --0016367faaa9a868dc048bd8701d
>
>
>
************************************************************************
*******
> Forum Note: Use "Reply" to post a response in the discussion forum.
>

[ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

Open Admin Tool is maintained by Administrator with WebBBS 5.12.