PDA

View Full Version : SLES 11 SP3 Server vulnerability scan - DCShop



amginenigma
18-May-2016, 21:20
Hello all,

Have a bit of a tickler here, we are getting ready to have a security audit run against our servers, this scan uses a product called Tenable which a sister agency to ours will use to scan our servers. In preparation for this scan I've installed and scanned these servers with OpenVAS, which thankfully has identified only a few minor issues with our fully patched SLES11SP3 servers. The biggest issue that is being reported back is the following:

Summary

We detected a vulnerable version of the DCShop CGI. This version does not properly protect user and credit card information. It is possible to access files that contain administrative passwords, current and pending transactions and credit card information (along with name, address, etc).
Vulnerability Detection Result

The following files are affected:

DCShop orders file: /?q=user/register/Orders/orders.txt
DCShop orders file: /?q=user/register/orders/orders.txt
DCShop authentication file: /?q=user/register/Auth_data/auth_user_file.txt
DCShop authentication file: /?q=user/register/auth_data/auth_user_file.txt


The problem is... we don't have DCShop installed. In fact the cgi-bin directory on the server contains exactly three files:

infol2html, info2html.conf and infocat

My google-fu led me to a few (very few) web sites which suggested making massive modifications to the DCShop installation, which cannot be done because again the server doesn't have this installed. One tip suggested that the 'everyone' group had full access to the cgi-bin folder, default permissions on the cgi-bin folder are 755, I've changed that to 754 and 750 with zero impact on the above error during OpenVAS scans.

Can anyone shed any light on this for me? I'm pretty sure that reporting to the scanning agency that 'oh yea that's a bug in the scan we don't use DCShop' is going to result in a big fat fail at this station.

Appreciate the thoughts / suggestions.

smflood
18-May-2016, 22:21
On 18/05/2016 21:24, amginenigma wrote:

> Have a bit of a tickler here, we are getting ready to have a security
> audit run against our servers, this scan uses a product called Tenable
> which a sister agency to ours will use to scan our servers. In
> preparation for this scan I've installed and scanned these servers with
> OpenVAS, which thankfully has identified only a few minor issues with
> our fully patched SLES11SP3 servers.

Whilst you may have fully patched SLES11 SP3 servers if you are worried
about security you should upgrade those to SLES11 SP4 as SP3 is now out
of support (though you may still be receiving some patches).

> The biggest issue that is being
> reported back is the following:
>
> Summary
>
> We detected a vulnerable version of the DCShop CGI. This version does
> not properly protect user and credit card information. It is possible to
> access files that contain administrative passwords, current and pending
> transactions and credit card information (along with name, address,
> etc).
> Vulnerability Detection Result
>
> The following files are affected:
>
> DCShop orders file: /?q=user/register/Orders/orders.txt
> DCShop orders file: /?q=user/register/orders/orders.txt
> DCShop authentication file:
> /?q=user/register/Auth_data/auth_user_file.txt
> DCShop authentication file:
> /?q=user/register/auth_data/auth_user_file.txt
>
>
> The problem is... we don't have DCShop installed. In fact the cgi-bin
> directory on the server contains exactly three files:
>
> infol2html, info2html.conf and infocat
>
> My google-fu led me to a few (very few) web sites which suggested making
> massive modifications to the DCShop installation, which cannot be done
> because again the server doesn't have this installed. One tip suggested
> that the 'everyone' group had full access to the cgi-bin folder, default
> permissions on the cgi-bin folder are 755, I've changed that to 754 and
> 750 with zero impact on the above error during OpenVAS scans.
>
> Can anyone shed any light on this for me? I'm pretty sure that
> reporting to the scanning agency that 'oh yea that's a bug in the scan
> we don't use DCShop' is going to result in a big fat fail at this
> station.
>
> Appreciate the thoughts / suggestions.

Looking at the OpenVAS plug-in suggests that it has found DCShop
installed so could it be that you have virtual servers and/or
alternative cgi-bin directories called from additional .conf files?

HTH.
--
Simon
SUSE Knowledge Partner