PCI Compliance
November 6th, 2008 at 3:42 pm   starstarstarstarstar      

As some of you may already be aware, Websiteforge has been audited lately for PCI compliance. The following is a list of issues and the results of our findings. Please review this when you receive test results about your site. As always, feel free to submit your test results to support@websiteforge.com so we can review them for you and advise.

 

REVIEW:

OpenSSH Duplicate Block Denial
of Service Vulnerability

A version of OpenSSH prior to 4.4 is running on this host. This version
is affected by a Denial of Service vulnerability. However, an attack can
only be performed if version 1 of the SSH protocol is enabled.
Note: Vulnerabilities which result only in denial of service do not affect
PCI compliance; however, they may still be critical to your systems.
Service: SSH-2.0-OpenSSH_3.9p1
CVE: CVE-2006-4924
NVD: CVE-2006-4924
Bugtraq: 20216
CERT: 787448
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:C (Base Score:7.80)

 

FALSE ALERT. We do not have and never had SSHv1 enabled.

 
ProFTPD Command Truncation
Cross-Site Request Forgery
Vulnerability

The version of ProFTPD running on the remote host splits an overly
long FTP command into a series of shorter ones and executes each in
turn. If an attacker can trick a ProFTPD administrator into accessing a
specially-formatted HTML link, he may be able to cause arbitrary FTP
commands to be executed in the context of the affected application
with the administrator's privileges.
Service: 220 WebsiteForge FTP Server (www.websiteforge.com) ready
CVE: CVE-2008-4242
NVD: CVE-2008-4242
Bugtraq: 31289
Reference: http://bugs.proftpd.org/show_bug.cgi?id=3115
CVSSv2: AV:N/AC:H/Au:N/C:P/I:P/A:P (Base Score:5.10)
 

Valid alert. Software upgraded and patched, issue resolved.

 

OpenSSH X11 Session Hijacking
Vulnerability

OpenSSH is prone to a vulnerability that allows local attackers
to hijack forwarded X connections. The system must have both
IPv4 and IPv6 enabled at the same time for this to be exploited.
Successfully exploiting this issue may allow an attacker run arbitrary
shell commands with the privileges of the user running the affected
application. This issue is known to affect OpenSSH 4.3p2, though
other versions may also be affected. This vulnerability will trigger on
any SSH banner version prior to 'openssh-5'. OpenSSH packages
shipped with Red Hat Enterprise Linux 4 and 5 are not vulnerable to
this issue. However, Red Hat Enterprise Linux 2.1 and 3 are affected.
Service: SSH-2.0-OpenSSH_3.9p1
CVE: CVE-2008-1483
NVD: CVE-2008-1483
Bugtraq: 28444
CVSSv2: AV:L/AC:H/Au:S/C:C/I:C/A:C (Base Score:6.00)
 

FALSE ALERT. Our systems have IPv6 disabled and therefore are not affected.

 

Multiple Vulnerabilities in lighttpd
Prior to 1.4.20

The version of lighttpd running on this host is prone to multiple
vulnerabilities. These include a failure to properly sanitize user input
which could lead to information disclosure, a memory leak when
processing multiple headers that could lead to denial of service
conditions, and the ability to circumvent URL rewrite and redirect
patterns using encoding. Refer to the included references for more
information.
Service: lighttpd/1.4.18
CVE: CVE-2008-1531, CVE-2008-4298, CVE-2008-4359,
CVE-2008-4360
NVD: CVE-2008-1531, CVE-2008-4298, CVE-2008-4359,
CVE-2008-4360
Bugtraq: 28489, 31434, 31599, 31600
Reference: http://trac.lighttpd.net/trac/ticket/285Reference: http://
trac.lighttpd.net/trac/ticket/1720Reference: http://trac.lighttpd.net/trac/
ticket/1589Reference: http://trac.lighttpd.net/trac/ticket/1774
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P (Base Score:5.00)
 

Valid alert. Removed the software because it was installed for a customer who has left and never used it.

Posted in Important Notifications by Terry Liedel
< Return to Post List
Brian says:
November 6th, 2008 at 3:55 pm   starstarstarstarstar      

Does this mean that WF now Is fully PCI complaint and all issues are resolved or are you still working on them?

Dave says:
November 6th, 2008 at 4:03 pm   starstarstarstarstar      
Does this mean that WF is 100% PCI compliant?

Rick McCarthy says:
November 6th, 2008 at 4:16 pm   starstarstarstarstar      

Recently "First Data" completed an audit of my site www.BoatersMarineSupply.com and affiliated "linkpoint" gateway merchant related to credit card business practices and PCI compliance.  "First Data" indicated that Linkpoint was a PCI compliant gateway and that our credit card practices, controls, and policies were PCI compliant.  No actions were required.

 

Is WSF fully PCI compliant or are further actions required?

Terry Liedel says:
November 6th, 2008 at 4:45 pm   starstarstarstarstar      

Yes we are fully compliant.

 

Rick, as per your message, you are correct. No further action is required.

Bill says:
November 7th, 2008 at 8:09 am   starstarstarstarstar      

Congratulations to WF crew!  Thanks for being there for those of us who are NOT overwhelmingly technically inclined.  As usual, your service makes the rest of us look pretty good!

Dale Spenrath says:
November 7th, 2008 at 9:01 am   starstarstarstarstar      

Please not that if your processor says you need to contact a PCI specialist such as Securitymatrix then you need to do so. Just because WF is compliant doesnt mean that you are. Yes a  portion of that falls on WF, but it also has to do with credit card numbers and associated info is stored. And that's a merchant by merchant thing. It is very important that you follow the directions in any of the letters that you got from First Data.

 

Dale Spenrath

POS Processing LLC

First Data IS

Rosie Batiste says:
November 7th, 2008 at 4:47 pm   starstarstarstarstar      

Thank you so much for your email. For those of us who are technically challenge it was such a relief to have you expain it in english. I have complied with the letters I received from First Data.

Thanks again, you're the best.

Shane Merem says:
November 9th, 2008 at 7:55 pm   starstarstarstarstar      

Great questions everyone.

 

Basically the list Terry posted are the only tests that were considered "failed" by the PCI Compliance auditors.  Hundreds of tests are run against the Website Forge system passed without issue.  (A HUGE LIST)

 

We are showing you the response you should give to the auditors so they can consider you compliant.  Basically these are "false alarms" or resolved issues.

 

They could choose to ask more questions or for more proof.  If so, just contact support@websiteforge.com and we will help you communicate the compliance information.

 

Thanks, Shane Merem

Website Forge

www.websiteforge.com

Ginger Rushng says:
November 13th, 2008 at 11:06 am   starstarstarstarstar      

I submited to Security Metrics and passed with no problem.

Thanks WF.

Ginger Rushing

www.yourlightsite.com 

Name * 
Email * 
Rate This Post  
Spam Protection 
11, forty nine, thirty six or 66: which of these is the highest?
Send to Kindle
All Categories
Social Media
Inspiration
WebsiteForge is your unfair advantage
Series; Let's Make sense of analytics
Non Members
E-commerce
E-mail
Important Notifications
Just for Fun
New Feature Ideas
Payment Processing
Tips and Advice
Uncategorized
Website Design
Website Forge Upgrades
Archives
November  2021
August  2021
November  2020
October  2020
September  2020
August  2020
July  2020
June  2020
May  2020
February  2020
August  2019
March  2019
January  2019
November  2018
September  2018
August  2018
July  2018
June  2018
May  2018
April  2018
March  2018
February  2018
January  2018
December  2017
November  2017
October  2017
September  2017
June  2017
May  2017
March  2017
January  2017
November  2016
September  2016
August  2016
March  2016
February  2016
November  2015
October  2015
September  2015
July  2015
June  2015
April  2015
February  2015
December  2014
November  2014
October  2014
August  2014
July  2014
August  2013
March  2012
January  2012
December  2011
September  2011
August  2011
July  2011
June  2011
May  2011
February  2011
December  2010
November  2010
October  2010
August  2010
June  2010
May  2010
March  2010
September  2009
August  2009
July  2009
May  2009
April  2009
March  2009
February  2009
January  2009
December  2008
November  2008
October  2008
September  2008
August  2008
July  2008
June  2008
May  2008
April  2008
March  2008
January  2008
December  2007
November  2007
October  2007
August  2007
July  2007
June  2007
May  2007
April  2007
March  2007
February  2007
January  2007
December  2006
January  2006
August  2005
March  2005
February  2005
January  2005
December  2004