The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Tue Mar 20, 2012 3:38 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Feb 13, 2010 1:16 pm
Posts: 70
I am having issues on a clients site to where he cannot pass the sercurity metric scan test, which are as followed:They are having problem with the sites log in which when you go to https://oldworldnames.com/index.php and take the "s" out of the https the page shows up without the "s", Can someone point me in the right direction for a fix. The clients site is on a Joomla! 1.0.15 platform. Thanks


Code:
Des cription: gues s ed pas s word to web form: /index.php (admin:admin) S everity:
Critical Problem Impact: An attacker who is able to gues s the pas s word to a us er
account could gain s hell acces s to the s ys tem with the privileges of the us er. From
there it is often trivial to gain complete control of the s ys tem. Res olution Protect all
accounts with a pas s word that cannot be gues s ed. Require us ers to choos e
pas s words which are eight characters long, including numeric and non-alphanumeric
characters , and which are not bas ed on the login name or any other pers onal
information about the us er. Enforce this policy us ing a utility s uch as
[http://www.utexas .edu/cc/unix/s oftware/ npas s wd] npas s wd in place of the default
UNIX pas s wd program. Check the s trength of all account pas s words periodicallyTCP 443 9
using a password cracking utility s uch as [ftp://coas t.cs .purdue.edu/pub/tools /unix
/pwdutils /crack] Crack for Unix. For Cis co 2700 S eries Wireles s Location Appliance,
change the pas s word or mitigate as des cribed in
[http://www.cis co.com/warp/public/707/ci s co-air-20061013-wla.s html] cis co-air-
20061013-wla. Vulnerability Details : S ervice: 443:TCP S ent: POS T /index.php
HTTP/1.0 Hos t: oldworldnames .com Us er-Agent: Mozilla/5.0 Content-length: 194
Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cookie:
virtuemart=1a94902355924120e2f2aeb75503d7 60;
3123b2e981cc3a414daab138debda284=-
us ername=admin& pas s wd=admin& remember=yes &
S ubmit=Login& option=login& op2=login& lang=e
nglis h& return=https ://oldworldnames .com/i
ndex.php& mes s age=0& force_s es s ion=1& jc8afe6
6b84049a86fc9f67e325e6c3e8=1 Received: HTTP/1.1 200 OK Did Not Receive:
<meta http-equiv="Content-Type" content="text/html; chars et=is o-8859-1"
/><s cript>alert('Incorrect us ername or pas s word. Pleas e try again.');
window.his tory.go(-1);</s cript> (s aint-3600)
TCP 443 9
Des cription: gues s ed pas s word to web form: /index.php (admin:pas s word) S everity:
Critical Problem Impact: An attacker who is able to gues s the pas s word to a us er
account could gain s hell acces s to the s ys tem with the privileges of the us er. From
there it is often trivial to gain complete control of the s ys tem. Res olution Protect all
accounts with a pas s word that cannot be gues s ed. Require us ers to choos e
pas s words which are eight characters long, including numeric and non-alphanumeric
characters , and which are not bas ed on the login name or any other pers onal
information about the us er. Enforce this policy us ing a utility s uch as
[http://www.utexas .edu/cc/unix/s oftware/ npas s wd] npas s wd in place of the default
UNIX pas s wd program. Check the s trength of all account pas s words periodically
us ing a pas s word cracking utility s uch as [ftp://coas t.cs .purdue.edu/pub/tools /unix
/pwdutils /crack] Crack for Unix. For Cis co 2700 S eries Wireles s Location Appliance,
change the pas s word or mitigate as des cribed in
[http://www.cis co.com/warp/public/707/ci s co-air-20061013-wla.s html] cis co-air-
20061013-wla. Vulnerability Details : S ervice: 443:TCP S ent: POS T /index.php
HTTP/1.0 Hos t: oldworldnames .com Us er-Agent: Mozilla/5.0 Content-length: 197
Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cookie:
virtuemart=1a94902355924120e2f2aeb75503d7 60;
3123b2e981cc3a414daab138debda284=-
us ername=admin& pas s wd=pas s word& remember=y
es & S ubmit=Login& option=login& op2=login& lan
g=englis h& return=https ://oldworldnames .co
m/index.php& mes s age=0& force_s es s ion=1& jc8a
fe66b84049a86fc9f67e325e6c3e8=1 Received: HTTP/1.1 200 OK Did Not Receive:
<meta http-equiv="Content-Type" content="text/html; chars et=is o-8859-1"
/><s cript>alert('Incorrect us ername or pas s word. Pleas e try again.');
window.his tory.go(-1);</s cript> (s aint-3600)
TCP 80 http 5
S ynops is : The remote web s erver might transmit credentials in cleartext.
Des cription : The remote web s erver contains s everal HTML form fields containing an
input of type 'pas s word' which transmit their information to a remote web s erver in
cleartext. An attacker eaves dropping the traffic between web brows er and s erver
may obtain logins and pas s words of valid us ers . Solution: Make s ure that every
s ens itive form transmits content over HTTPS . Risk Factor: Medium / CVS S Bas e
S core : 5.0 (CVS S 2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : CWE:522,
CWE:523, CWE:718, CWE:724 (26194)


Top
 Profile  
 
PostPosted: Tue Mar 20, 2012 4:12 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12393
Location: The Girly Side of Joomla in Sussex
1. why are you using ssl (and please be specific as to reasons)
2. have you searched the forum for ssl or pci scanning ?
3. there may be special settings with your ecommerce option
4. this is not a security issue it is an administration issue. if you do not understand why, you shouldnt be using ssl

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Mar 20, 2012 4:18 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Feb 13, 2010 1:16 pm
Posts: 70
It is to used for credit card payments in Virtuemart. This is what he got from securitymetrics.

Hi xxxxxx,

As discussed over the phone I sent a separate email to you containing a copy of the scan results to forward to your web designer. The scan failed for clear text which means that one or more pages is not transmitting sensitive information over https which it does need to do. The second is for guessed passwords/default passwords for account log in, for this you want to ensure that there are no default log in credentials such as admin/admin or password/admin. Once these changes have been down you will want to initiate a new scan.

-- Sincerely,

xxxxxxxx.
SecurityMetrics


Top
 Profile  
 
PostPosted: Tue Mar 20, 2012 4:27 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Feb 13, 2010 1:16 pm
Posts: 70
Also SecurityMetrics is asking why the scan is able to see both of these addresses

http://oldworldnames.com/index.php
https://oldworldnames.com/index.php

When their scan only wants to see https://oldworldnames.com/index.php

---------------------------------------------

I have search and found nothing. Also I have installed and set virtuemart many times and never came up with a problem with a SecurityMetric problem.


Top
 Profile  
 
PostPosted: Tue Mar 20, 2012 5:09 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12393
Location: The Girly Side of Joomla in Sussex
in which case you may need to speak to virtuemart to ask them why it is failing the scan.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Mar 20, 2012 7:06 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Feb 13, 2010 1:16 pm
Posts: 70
It has nothing to do with virtuemart.....what they are asking is why when the site is secured why is http:// still showing pages instead of just https://


Top
 Profile  
 
PostPosted: Tue Mar 20, 2012 7:19 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12393
Location: The Girly Side of Joomla in Sussex
OK. let me try this approach, as you say you have set up numerous virtuemarts (which is your ecommerce suite)
pre amble to this post (the main results you would have got if your search returned results)
* pci compliance scanners are renowned for their inconsitancy accross makes
* most people use a payment gateway or even paypal as storing credit card numbers requires specialist knowledge as different countries have different rules/legal registration requirements

Now from the docs.
Quote:
Force SSL. This parameter has three options: “None”, “Administrator Only”, and “Entire Site”. Using the appropriate setting, this parameter forces any web browser connections to the administrative “backend”, or to the complete Joomla site, to use the secure HTTP protocol (HTTPS). The “Entire Site” setting is appropriate where security of any web transaction (e.g. e-commerce) is important. Ideally there should also be an appropriate certificate in place to verify the identity of your web site. The “Administrator Only” setting is ideal for enhancing the security of other types of web site as it encrypts “backend” content and passwords that could be put to malicious use if intercepted.
Note: before moving away from the default setting of “None”, it is essential that you check the server delivering your web site is capable of operating in HTTPS mode.

Quote:
Use an SSL server

This has more to do with secure payments and administration, and is not Joomla! core or server security, but has been included here for advisory purposes.

SSL servers are currently the only way to securely process confidential transactions and secure user authentication. SSL works by encrypting all HTTP communications between the Web server and Web clients. Thus, even if a transmission is intercepted, it cannot be read.

Joomla! 1.0.x does not allow you to assign an SSL server to individual sub-directories. Search the forums for "Tommy Hack" for one way to deal with this. Joomla! 1.5 has greatly improved SSL options.


tommy hack link - viewtopic.php?f=35&t=71404

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Mar 20, 2012 7:24 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Feb 13, 2010 1:16 pm
Posts: 70
Thats all I needed to know. Thank you very much!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 



Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group