Save 
Join IIUG
 for   
 

Informix News
18 Nov 13 - ZDNet - Top 20 mobile skills in demand... Read
09 Sep 13 - telecompaper - Shaspa and Tatung have shown a new smart home platform at Ifa in Berlin. Powered by the IBM Informix software... Read
06 Sep 13 - IBM data magazine - Mission Accomplished - Miami, Florida will be the backdrop for the 2014 IIUG Informix Conference... Read
01 Feb 13 - IBM Data Magazine - Are your database backups safe? Lester Knutsen (IBM Champion) writes about database back up safety using "archecker"... Read
14 Nov 12 - IBM - IBM's Big Data For Smart Grid Goes Live In Texas... Read
3 Oct 12 - The Financial - IBM and TransWorks Collaborate to Help Louisiana-Pacific Corporation Achieve Supply Chain Efficiency... Read
28 Aug 12 - techCLOUD9 - Splunk kicks up a SaaS Storm... Read
10 Aug 12 - businessCLOUD9 - Is this the other half of Cloud monitoring?... Read
3 Aug 12 - IBM data management - Supercharging the data warehouse while keeping costs down IBM Informix Warehouse Accelerator (IWA) delivers superior performance for in-memory analytics processing... Read
2 Aug 12 - channelbiz - Oninit Group launches Pay Per Pulse cloud-based service... Read
28 May 12 - Bloor - David Norfolk on the recent Informix benchmark "pretty impressive results"... Read
23 May 12 - DBTA - Informix Genero: A Way to Modernize Informix 4GL Applications... Read
9 Apr 12 - Mastering Data Management - Upping the Informix Ante: Advanced Data Tools... Read
22 Mar 12 - developerWorks - Optimizing Informix database access... Read
14 Mar 12 - BernieSpang.com - International Informix User Group set to meet in San Diego... Read
1 Mar 12 - IBM Data Management - IIUG Heads West for 2012 - Get ready for sun and sand in San Diego... Read
1 Mar 12 - IBM Data Management - Running Informix on Solid-State Drives.Speed Up Database Access... Read
26 Feb 12 - BernieSpan.com - Better results, lower cost for a broad set of new IBM clients and partners... Read
24 Feb 12 - developerWorks - Informix Warehouse Accelerator: Continuous Acceleration during Data Refresh... Read
6 Feb 12 - PRLOG - Informix port delivers unlimited database scalability for popular SaaS application ... Read
2 Feb 12 - developerWorks - Loading data with the IBM Informix TimeSeries Plug-in for Data Studio... Read
1 Feb 12 - developerWorks - 100 Tech Tips, #47: Log-in to Fix Central... Read
13 Jan 12 - MC Press online - Informix Dynamic Server Entices New Users with Free Production Edition ... Read
11 Jan 12 - Computerworld - Ecologic Analytics and Landis+Gyr -- Suitors Decide to Tie the Knot... Read
9 Jan 12 - planetIDS.com - DNS impact on Informix / Impacto do DNS no Informix... Read
8 Sep 11 - TMCnet.com - IBM Offers Database Solution to Enable Smart Meter Data Capture... Read
1 Aug 11 - IBM Data Management Magazine - IIUG user view: Happy 10th anniversary to IBM and Informix... Read
8 Jul 11 - Database Trends and Applications - Managing Time Series Data with Informix... Read
31 May 11 - Smart Grid - The meter data management pitfall utilities are overlooking... Read
27 May 11 - IBM Data Management Magazine - IIUG user view: Big data, big time ( Series data, warehouse acceleration, and 4GLs )... Read
16 May 11 - Business Wire - HiT Software Announces DBMoto for Enterprise Integration, Adds Informix. Log-based Change Data Capture... Read
21 Mar 11 - Yahoo! Finance - IBM and Cable&Wireless Worldwide Announce UK Smart Energy Cloud... Read
14 Mar 11 - MarketWatch - Fuzzy Logix and IBM Unveil In-Database Analytics for IBM Informix... Read
11 Mar 11 - InvestorPlace - It's Time to Give IBM Props: How many tech stocks are up 53% since the dot-com boom?... Read
9 Mar 11 - DBTA - Database Administration and the Goal of Diminishing Downtime... Read
2 Feb 11 - DBTAs - Informix 11.7 Flexible Grid Provides a Different Way of Looking at Database Servers... Read
27 Jan 11 - exactsolutions - Exact to Add Informix Support to Database Replay, SQL Monitoring Solutions... Read
25 Jan 11 - PR Newswire - Bank of China in the UK Works With IBM to Become a Smarter, Greener Bank... Read
12 Oct 10 - Database Trends and Applications - Informix 11.7: The Beginning of the Next Decade of IBM Informix... Read
20 Sep 10 - planetIDS.com - ITG analyst paper: Cost/Benefit case for IBM Informix as compared to Microsoft SQL Server... Read
20 Jul 10 - IBM Announcements - IBM Informix Choice Edition V11.50 helps deploy low-cost scalable and reliable solutions for Apple Macintosh and Microsoft Windows... Read
20 Jul 10 - IBM Announcements - Software withdrawal: Elite Support for Informix Ultimate-C Edition... Read
24 May 10 - eWeek Europe - IBM Supplies Database Tech For EU Smart Grid... Read
23 May 10 - SiliconIndia - IBM's smart metering system allows wise use of energy... Read
21 May 10 - CNET - IBM to help people monitor energy use... Read
20 May 10 - ebiz - IBM Teams With Hildebrand To Bring Smart Metering To Homes Across Britain... Read
19 May 10 - The New Blog Times - Misurare il consumo energetico: DEHEMS è pronto... Read
19 May 10 - ZDNet - IBM software in your home? Pact enables five-city smart meter pilot in Europe... Read
17 March 10 - ZDNet (blog) David Morgenstern - TCO: New research finds Macs in the enterprise easier, cheaper to manage than... Read
17 March 2010 - Virtualization Review - ...key components of Big Blue's platform to the commercial cloud such as its WebSphere suite of application ser vers and its DB2 and Informix databases... Read
10 February 2010 - The Wall Street Journal - International Business Machines is expanding an initiative to win over students and professors on its products. How do they lure the college crowd?... Read


End of Support Dates

IIUG on Facebook IIUG on Twitter

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

Open Admin Tool

RE: OAT Fails PCI Audit [414] [415] [416] [417]

Posted By: John Chauvin
Date: Wednesday, 21 July 2010, at 9:31 a.m.

Thanks I will see if that will work there are probably 20 or so failures
for Apache and PHP in the full document and maybe these will help to
resolve them as well.

John A. Chauvin
Sr. Technical Consultant

> -----Original Message-----
> From: oat-bounces@iiug.org [mailto:oat-bounces@iiug.org] On Behalf Of
> Fernando Nunes
> Sent: Wednesday, July 21, 2010 07:55
> To: oat@iiug.org
> Subject: Re: [Oat] OAT Fails PCI Audit [414] [415] [416] [417]
>
> If I followed your email correctly the tests made reflect 3 problems:
>
> 1- lack of encryption in the authentication
> 2- PR07-37: XSS on Apache HTTP Server 413 error pages via malformed
HTTP
> method
> 3- Mbedthis AppWeb HTTP TRACE Information Disclosure Vulnerability
> This one looks for another web server, but it probably applies to
Apache
> also.
>
> So, what you need:
>
> 1- Setup encrypted communications between the browser and the HTTP
server
> (Apache). I'm not sure, but I think this was already discussed in
these or
> other mailing lists. I believe it's possible but I never did it with
OAT.
> Maybe OAT specialists want to comment on this
>
> 2- From the URL you provided, check the solution:
> http://www.securityfocus.com/archive/1/archive/1/484410/100/0/threaded
> Workaround:
>
> Disable Apache's default 413 error pages by adding 'ErrorDocument 413'
> statement to the Apache config file.
>
> 3- Check http://httpd.apache.org/docs/2.2/mod/core.html
> Look for TraceEnable directive and set it to off. This sould solve the
> issue.
>
> So, I think you can easily workaround all 3 objections. Maybe 1) is
the one
> which needs more attention.
> There are some links like:
>
>
https://www.ibm.com/developerworks/blogs/resources/idsteam/OAT_HTTPS.pdf
>
> That talk about this. It specifically says that HTTP server included
with
> OAT does not include mod_ssl, needed for HTTPS... so you would
probably
> have
> to use a separate HTTP server with all the PHP installed...
>
> Nevertheless... I'm wondering if you use encrypted database
connections to
> Informix or the tests run simply don't test it?...
>
> Regards.
>
> On Wed, Jul 21, 2010 at 1:15 PM, John Chauvin
> <John.Chauvin@mediware.com>wrote:
>
> > There are several points that failed.
> > Here are some of them that I gleaned from the report its quite long.
> > I would be willing to send the full report to someone on the OAT
> > development team.
> >
> > Web Server Uses Plain-Text Form Based Authentication port 8080/tcp
> > QID: 86728 CVSS Base: - PCI FAILED
> > Category: Web server CVSS Temporal: -
> > CVE ID: -
> > Vendor Reference: -
> > Bugtraq ID: -
> > Service Modified: 05/21/2009
> > User Modified: -
> > Edited: No
> > THREAT:
> > The Web server uses plain-text form based authentication. A web page
> > exists on the target host which uses an HTML login form. This data
is
> > sent
> > from the client to the server in plain-text.
> > IMPACT:
> > An attacker with access to the network traffic to and from the
target
> > host may be able to obtain login credentials for other users by
sniffing
> > the
> > network traffic.
> > SOLUTION:
> > Please contact the vendor of the hardware/software for a possible
fix
> > for the issue. For custom applications, ensure that data sent via
HTML
> > login
> > forms is encrypted before being sent from the client to the host.
> > COMPLIANCE:
> > Not Applicable
> > RESULTS:
> > GET /openadmin/ HTTP/1.1
> > Host: 10.42.145.85:8080
> > Connection: Keep-Alive
> > <form name="login" action="index.php?act=login&do=dologin"
> > method="post">
> > <table width="100%" border="0">
> > <tr>
> > <td>
> > <input type='radio' class='radiobutton' name='login_admin'
value='Login'
> > checked >Login
> > <input type='radio' class='radiobutton' name='login_admin'
value='Admin'
> > onClick='redirectToAdmin()'>Admin
> > </td>
> > <td>
> > <script type="text/javascript">
> > function popAboutOAT()
> > {
> > w = window.open( 'index.php?act=help&do=aboutOAT','About
> > OAT','width=450,height=300,resizable=yes,scrollbars=yes');
> > w.focus();
> > }
> > </script>
> > <div align="right">
> > *
> > <a href="javascript:popAboutOAT()">About OAT</a>
> > *
> > <a href="javascript:showDocuments('README.html','readme'); "
> > title="Readme">Readme</a>
> > *
> > <a href="javascript:showDocuments('HOWTO.html','HowDoI'); "
title="How
> > Do I?">How Do I?</a>
> > *
> > </div>
> > </td>
> > </tr>
> > </table>
> > <table width="100%" border="0">
> > <tr>
> > <td width="35%" valign="top" colspan="2">
> > <script type ="text/javascript">
> > function resetLoginForm()
> > {
> > document.login.informixserver.value = '';
> > document.login.host.value = '';
> > document.login.port.value = '';
> > document.login.username.value = '';
> > document.login.userpass.value = '';
> > document.login.idsprotocol.value = 'onsoctcp';
> > }
> > function connectgroup()
> > {
> > var group_num =
> >
document.login.groups.options[document.login.groups.selectedIndex].value
> > ;
> > var group_pass = document.login.grouppass.value;
> > if (window.XMLHttpRequest) {
> > request = new XMLHttpRequest();
> > if (request.overrideMimeType) {
> > request.overrideMimeType('text/html');
> > }
> > } else if (window.ActiveXObject) { // IE
> > try {
> > request = new ActiveXObject("Msxml2.XMLHTTP");
> > } catch (e) {
> > try {
> > request = new ActiveXObject("Microsoft.XMLHTTP");
> > } catch (e) {}
> > }
> > }
> > request.open("POST",
"index.php?act=login&do=connectgroup&group_num="
> +
> > group_num + "&group_pass=" + escape(group_pass));
> > requ
> >
> > Apache HTTP Server 413 Error HTTP Request Method Cross-Site
Scripting
> > Weakness port 8080/tcp
> > QID: 86771 CVSS Base: 4.3 PCI FAILED
> > Category: Web server CVSS Temporal: 3.5
> > CVE ID: CVE-2007-6203
> > Vendor Reference: -
> > Bugtraq ID: 26663
> > Service Modified: 11/21/2008
> > User Modified: -
> > Edited: No
> > THREAT:
> > Apache HTTP servers are prone to a cross-site scripting weakness.
> > The issue occurs when the application fails to sanitize a specially
> > crafted HTTP request method that results in a 413 HTTP error. 413
errors
> > occur
> > when a request entity's data-stream is too large for the server to
> > handle. When a 413 error is encountered, the server returns a page
> > describing what
> > happened.
> > When the error page is displayed, attacker script code will be
rendered
> > on the Web page in the context of the application.
> > IMPACT:
> > An attacker may exploit this issue to steal cookie-based
authentication
> > credentials and launch other attacks. The link below has more
> > information on
> > the attack:
> >
http://www.securityfocus.com/archive/1/archive/1/484410/100/0/threaded
> >
(http://www.securityfocus.com/archive/1/archive/1/484410/100/0/threaded)
> >
> > Web Server HTTP Trace/Track Method Support Cross-Site Tracing
> > Vulnerability port 8080/tcp
> > QID: 86473 CVSS Base: 5.8 PCI FAILED
> > Category: Web server CVSS Temporal: 4.3
> > CVE ID: CVE-2004-2320, CVE-2007-3008
> > Vendor Reference: -
> > Bugtraq ID: -
> > Service Modified: 11/19/2008
> > Payment Card Industry (PCI) Technical Report page 14
> > User Modified: -
> > Edited: No
> > THREAT:
> > A Web server was detected that supports the HTTP TRACE method. This
> > method allows debugging and connection trace analysis for
connections
> > from the client to the Web server. Per the HTTP specification, when
this
> > method is used, the Web server echoes back the information sent to
it by
> > the client unmodified and unfiltered. Microsoft IIS web server uses
an
> > alias TRACK for this method, and is functionally the same.
> > A vulnerability related to this method was discovered. A malicious,
> > active component in a Web page can send Trace requests to a Web
server
> > that
> > supports this Trace method. Usually, browser security disallows
access
> > to Web sites outside of the present site's domain. Although unlikely
and
> > difficult to achieve, it's possible, in the presence of other
browser
> > vulnerabilities, for the active HTML content to make external
requests
> > to arbitrary
> > Web servers beyond the hosting Web server. Since the chosen Web
server
> > then echoes back the client request unfiltered, the response also
> > includes cookie-based or Web-based (if logged on) authentication
> > credentials that the browser automatically sent to the specified Web
> > application on
> > the specified Web server.
> > The significance of the Trace capability in this vulnerability is
that
> > the active component in the page visited by the victim user has no
> > direct access to
> > this authentication information, but gets it after the target Web
server
> > echoes it back as its Trace response.
> > Since this vulnerability exists as a support for a method required
by
> > the HTTP protocol specification, most common Web servers are
vulnerable.
> > The exact method(s) supported, Trace and/or Track, and their
responses
> > are in the Results section below.
> > IMPACT:
> > If this vulnerability is successfully exploited, users of the Web
server
> > may lose their authentication credentials for the server and/or for
the
> > Web
> > applications hosted by the server to an attacker. This may be the
case
> > even if the Web applications are not vulnerable to cross site
scripting
> > attacks
> > due to input validation errors.
> >
> > John A. Chauvin
> >
> > > -----Original Message-----
> > > From: oat-bounces@iiug.org [mailto:oat-bounces@iiug.org] On Behalf
Of
> > > Fernando Nunes
> > > Sent: Tuesday, July 20, 2010 16:41
> > > To: oat@iiug.org
> > > Subject: Re: [Oat] OAT Fails PCI Audit [414] [415]
> > >
> > > What exactly did it fail to pass? PCI is too generic to specify
> > versions of
> > > whatever software is used. It merely specifies more or less
generic
> > > guidelines (some regarding processes, other related to encryption
> > etc.).
> > > My point is: Will a mere update get it through _that_ PCI audit?
What
> > of the
> > > PCI points did it fail? What concerns were raised?
> > >
> > > OAT can use a separate Apache and PHP installation (although it's
> > harder to
> > > setup like that). But I have some doubts that the issues were
merely
> > with
> > > the versions used...
> > >
> > > Regards.
> > >
> > > On Tue, Jul 20, 2010 at 8:24 PM, JOHN A. CHAUVIN
> > > <john.chauvin@mediware.com>wrote:
> > >
> > > > We recently installed IDS 11.50 with OAT 2.27 at a client site.
> > During this
> > > > they do a PCI Audit on all servers and found that the Apache and
PHP
> > used
> > > > by
> > > > OAT Fails the Audit.
> > > > Has anyone else see this?
> > > > Is there a way to update this so it will pass?
> > > > Is there any plans to make OAT use a more current version of
Apache
> > and/or
> > > > PHP
> > > > so that it will pass security audits?
> > > > Or Secure it out of the box?
> > > >
> > > >
> > > >
> > > >
> > >
> >
************************************************************************
> > *******
> > > > Forum Note: Use "Reply" to post a response in the discussion
forum.
> > > >
> > > >
> > >
> > > --
> > > Fernando Nunes
> > > Portugal
> > >
> > > http://informix-technology.blogspot.com
> > > My email works... but I don't check it frequently...
> > >
> > > --0016367faaa9a868dc048bd8701d
> > >
> > >
> > >
> >
************************************************************************
> > *******
> > > Forum Note: Use "Reply" to post a response in the discussion
forum.
> > >
> >
> >
> >
> >
>
************************************************************************
*******
> > Forum Note: Use "Reply" to post a response in the discussion forum.
> >
> >
>
> --
> Fernando Nunes
> Portugal
>
> http://informix-technology.blogspot.com
> My email works... but I don't check it frequently...
>
> --001636832fea4449a5048be54ec6
>
>
>
************************************************************************
*******
> Forum Note: Use "Reply" to post a response in the discussion forum.
>

Messages In This Thread

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

Open Admin Tool is maintained by Administrator with WebBBS 5.12.