Sercurity Metrics Issuses

[wellgolly]

I am having issues on a clients site to where he cannot pass the sercurity metric scan test, which are as followed:They are having problem with the sites log in which when you go to https://oldworldnames.com/index.php and take the "s" out of the https the page shows up without the "s", Can someone point me in the right direction for a fix. The clients site is on a Joomla! 1.0.15 platform. Thanks

Code: Select all

Des cription: gues s ed pas s word to web form: /index.php (admin:admin) S everity:
Critical Problem Impact: An attacker who is able to gues s the pas s word to a us er
account could gain s hell acces s to the s ys tem with the privileges of the us er. From
there it is often trivial to gain complete control of the s ys tem. Res olution Protect all
accounts with a pas s word that cannot be gues s ed. Require us ers to choos e
pas s words which are eight characters long, including numeric and non-alphanumeric
characters , and which are not bas ed on the login name or any other pers onal
information about the us er. Enforce this policy us ing a utility s uch as
[http://www.utexas .edu/cc/unix/s oftware/ npas s wd] npas s wd in place of the default
UNIX pas s wd program. Check the s trength of all account pas s words periodicallyTCP 443 9
using a password cracking utility s uch as [ftp://coas t.cs .purdue.edu/pub/tools /unix
/pwdutils /crack] Crack for Unix. For Cis co 2700 S eries Wireles s Location Appliance,
change the pas s word or mitigate as des cribed in
[http://www.cis co.com/warp/public/707/ci s co-air-20061013-wla.s html] cis co-air-
20061013-wla. Vulnerability Details : S ervice: 443:TCP S ent: POS T /index.php
HTTP/1.0 Hos t: oldworldnames .com Us er-Agent: Mozilla/5.0 Content-length: 194
Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cookie:
virtuemart=1a94902355924120e2f2aeb75503d7 60;
3123b2e981cc3a414daab138debda284=-
us ername=admin& pas s wd=admin& remember=yes &
S ubmit=Login& option=login& op2=login& lang=e
nglis h& return=https ://oldworldnames .com/i
ndex.php& mes s age=0& force_s es s ion=1& jc8afe6
6b84049a86fc9f67e325e6c3e8=1 Received: HTTP/1.1 200 OK Did Not Receive:
<meta http-equiv="Content-Type" content="text/html; chars et=is o-8859-1"
/><s cript>alert('Incorrect us ername or pas s word. Pleas e try again.');
window.his tory.go(-1);</s cript> (s aint-3600)
TCP 443 9
Des cription: gues s ed pas s word to web form: /index.php (admin:pas s word) S everity:
Critical Problem Impact: An attacker who is able to gues s the pas s word to a us er
account could gain s hell acces s to the s ys tem with the privileges of the us er. From
there it is often trivial to gain complete control of the s ys tem. Res olution Protect all
accounts with a pas s word that cannot be gues s ed. Require us ers to choos e
pas s words which are eight characters long, including numeric and non-alphanumeric
characters , and which are not bas ed on the login name or any other pers onal
information about the us er. Enforce this policy us ing a utility s uch as
[http://www.utexas .edu/cc/unix/s oftware/ npas s wd] npas s wd in place of the default
UNIX pas s wd program. Check the s trength of all account pas s words periodically
us ing a pas s word cracking utility s uch as [ftp://coas t.cs .purdue.edu/pub/tools /unix
/pwdutils /crack] Crack for Unix. For Cis co 2700 S eries Wireles s Location Appliance,
change the pas s word or mitigate as des cribed in
[http://www.cis co.com/warp/public/707/ci s co-air-20061013-wla.s html] cis co-air-
20061013-wla. Vulnerability Details : S ervice: 443:TCP S ent: POS T /index.php
HTTP/1.0 Hos t: oldworldnames .com Us er-Agent: Mozilla/5.0 Content-length: 197
Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cookie:
virtuemart=1a94902355924120e2f2aeb75503d7 60;
3123b2e981cc3a414daab138debda284=-
us ername=admin& pas s wd=pas s word& remember=y
es & S ubmit=Login& option=login& op2=login& lan
g=englis h& return=https ://oldworldnames .co
m/index.php& mes s age=0& force_s es s ion=1& jc8a
fe66b84049a86fc9f67e325e6c3e8=1 Received: HTTP/1.1 200 OK Did Not Receive:
<meta http-equiv="Content-Type" content="text/html; chars et=is o-8859-1"
/><s cript>alert('Incorrect us ername or pas s word. Pleas e try again.');
window.his tory.go(-1);</s cript> (s aint-3600)
TCP 80 http 5
S ynops is : The remote web s erver might transmit credentials in cleartext.
Des cription : The remote web s erver contains s everal HTML form fields containing an
input of type 'pas s word' which transmit their information to a remote web s erver in
cleartext. An attacker eaves dropping the traffic between web brows er and s erver
may obtain logins and pas s words of valid us ers . Solution: Make s ure that every
s ens itive form transmits content over HTTPS . Risk Factor: Medium / CVS S Bas e
S core : 5.0 (CVS S 2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : CWE:522,
CWE:523, CWE:718, CWE:724 (26194)

[mandville]

1. why are you using ssl (and please be specific as to reasons)
2. have you searched the forum for ssl or pci scanning ?
3. there may be special settings with your ecommerce option
4. this is not a security issue it is an administration issue. if you do not understand why, you shouldnt be using ssl

[wellgolly]

It is to used for credit card payments in Virtuemart. This is what he got from securitymetrics.

Hi xxxxxx,

As discussed over the phone I sent a separate email to you containing a copy of the scan results to forward to your web designer. The scan failed for clear text which means that one or more pages is not transmitting sensitive information over https which it does need to do. The second is for guessed passwords/default passwords for account log in, for this you want to ensure that there are no default log in credentials such as admin/admin or password/admin. Once these changes have been down you will want to initiate a new scan.

-- Sincerely,

xxxxxxxx.
SecurityMetrics

[wellgolly]

Also SecurityMetrics is asking why the scan is able to see both of these addresses

http://oldworldnames.com/index.php
https://oldworldnames.com/index.php

When their scan only wants to see https://oldworldnames.com/index.php

---------------------------------------------

I have search and found nothing. Also I have installed and set virtuemart many times and never came up with a problem with a SecurityMetric problem.

[mandville]

in which case you may need to speak to virtuemart to ask them why it is failing the scan.

[wellgolly]

It has nothing to do with virtuemart.....what they are asking is why when the site is secured why is http:// still showing pages instead of just https://

[mandville]

OK. let me try this approach, as you say you have set up numerous virtuemarts (which is your ecommerce suite)
pre amble to this post (the main results you would have got if your search returned results)
* pci compliance scanners are renowned for their inconsitancy accross makes
* most people use a payment gateway or even paypal as storing credit card numbers requires specialist knowledge as different countries have different rules/legal registration requirements

Now from the docs.

Force SSL. This parameter has three options: “None”, “Administrator Only”, and “Entire Site”. Using the appropriate setting, this parameter forces any web browser connections to the administrative “backend”, or to the complete Joomla site, to use the secure HTTP protocol (HTTPS). The “Entire Site” setting is appropriate where security of any web transaction (e.g. e-commerce) is important. Ideally there should also be an appropriate certificate in place to verify the identity of your web site. The “Administrator Only” setting is ideal for enhancing the security of other types of web site as it encrypts “backend” content and passwords that could be put to malicious use if intercepted.
Note: before moving away from the default setting of “None”, it is essential that you check the server delivering your web site is capable of operating in HTTPS mode.

Use an SSL server

This has more to do with secure payments and administration, and is not Joomla! core or server security, but has been included here for advisory purposes.

SSL servers are currently the only way to securely process confidential transactions and secure user authentication. SSL works by encrypting all HTTP communications between the Web server and Web clients. Thus, even if a transmission is intercepted, it cannot be read.

Joomla! 1.0.x does not allow you to assign an SSL server to individual sub-directories. Search the forums for "Tommy Hack" for one way to deal with this. Joomla! 1.5 has greatly improved SSL options.

tommy hack link - http://forum.joomla.org/viewtopic.php?f=35&t=71404

[wellgolly]

Thats all I needed to know. Thank you very much!