Solved

Website set  up on an inhouse machine, using File Maker Pro Server and File Maker Pro Vulnerabilities

Posted on 2013-06-18
12
532 Views
Last Modified: 2013-06-21
I am trying to help a group with their website. It has a deep and complicated database set up using File Maker Pro server to show file maker pro files for an adult and community ed website. They are hosting it internally on a MAC machine, which I can't make heads nor tails of.
They recently got a report from their bank listing dozens of vulnerabilities. Here are a few of the PHP vulnerabilities:
PHP Overflow Vulnerability in php stream scandir
PHP crypt Function Buffer Overflow Vulnerability
PHP SOAP Extension open basedir Write Restriction Bypass
PHP phar Extension Heap Overflow and Denial of Service Vulnerability

This site is on PHP5, but I can't check to see what subversion it is. Could this possibly just need a PHP upgrade, or are there other things going on?
0
Comment
Question by:nanharbison
  • 4
  • 4
  • 4
12 Comments
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 39258152
Is this web site a public-facing site with a URL?  Is the site handling money via eCommerce programming that is not PCI-compliant?

This sounds like the bank has a "consultant" who has issued a boilerplate report.  If the site is PHP 5.3+ it's probably current or nearly so (IIRC 5.4 is 100% current).  Ask the bank to identify the instructions that are vulnerable, by file name and line number.  If we have some more specific information, we might be able to offer more specific help.  Consider changing banks, too.

However if the site is handling money and it is not PCI-compliant, that's a big no-no and the organization should consider scrapping the site and starting over, at least with respect to the eCommerce aspects.
0
 
LVL 17

Author Comment

by:nanharbison
ID: 39258910
This site is ace.colonial.net. The bank has been asked to provide descriptions of the vulnerabilities in English, so the head guy can understand what is wrong. The school district IT people are going to be asked to look at the set up to see if all software is current.

They are handling money via eCommerce.  I just noticed that there is a column for each of the 46 vulnerabilities that says the PCI status is "Fail".

The guy would be hard pressed to switch vendors. The adult and community ed (ACE) classes are published months in advance and people sign up for classes, but there is always a minimum number of people who must sign up, and this bank has the service that people are not charged until the class begins, and classes do get canceled regularly. It would be a pain to back out canceled transactions every semester and summer. The whole ACE operation is  a one man show, plus it is run on a shoestring.

I do have the file names and line numbers, I was typing this in by hand, and thought I would probably have typos, I have asked if there is an electronic version of this report, but here goes for now:

PHP Overflow Vulnerability in php stream scandir CVE-2012-2688
PHP crypt Function Buffer Overflow Vulnerability CVE-2011-3268
PHP SOAP Extension open basedir Write Restriction Bypass CVE-2013-1635
PHP phar Extension Heap Overflow and Denial of Service Vulnerability CVE-2012-2386

Some of the problems are Apache and OpenSSL issues, but I thought I would address these things one at a time in different questions.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 39259393
46 PCI failures??  Holy cow!  This may not be fixable at all without a substantial budget of both money and time.

I'm not sure how the scandir() overflow vulnerability arises or how it could be fixed, and the web site says that the server is at GoDaddy, which would lead me to believe that it's not an in-house hosting project.  Here is the NIST link that describes the issue.  
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2688

As you can see, the report appears to be OS-dependent.  To my eye, this looks like something that cannot be fixed by changing the PHP programming -- GoDaddy would have to fix it.  If you've never dealt with GoDaddy support, you're in for a "treat."

Sadly, it looks like you have come upon an object lesson in why developers choose PayPal so their scripts do not have to handle money.  I don't think I can help with this, so I'll sign off now.  Feel free to delete the question and save your EE points, and best of luck helping them out. ~Ray
0
 
LVL 17

Author Comment

by:nanharbison
ID: 39259638
Ray,

Okay, I spoke to the manager again, they don't actually handle the money. The steps are the users sign up for a course and give a credit card. Within 24 hours, all the student info is moved off of the public site into Filemaker Pro, which is not accessible by anyone else.
Then, when the course is about to begin, the manager goes in to the database and the credit cards are processed through a dedicated terminal that goes directly to the bank.
The signs up are encrypted and go though a secure connection.

The SSL certificate is from Godaddy. but it isn't hosted there, it's done in house.

Does this information change your opinions? I am going to give you the points, this has been very helpful, as this is not my area of expertise.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 39259714
When the students give the credit card information, that's tantamount to "handling money" and the PCI compliance rules apply.

Good news: You don't have to rely on GoDaddy (maybe you want to remove the statement from the bottom of the web page).   Bad news: There is still the issue of PCI compliance, and it's not a simple thing to achieve, in spite of web sites that purport to offer "easy PCI compliance."  Some possibly useful links:
https://www.pcisecuritystandards.org/security_standards/index.php
http://web.emc.com/RSA-PCI?cmp=knc-RSA_SMC-SMC_PCI-PCIcompliance-Americas&activity_id=180929&division=rsa
http://www.pcicomplianceguide.org/pcifaqs.php

One option might be to re-design the registration process.  Instead of taking a credit card at the time of registration, take the registration only and send a billing statement when the class is confirmed (known to be proceeding and not cancelled for lack of interest).  Issue a receipt when payment is received.  Require the receipt in hand for admission to the class.  This would let the ACE end the practice of handling credit card data because the billing statement could be sent via email with a PayPal link.  The downside of this design might be found when people register, but change their minds and do not pay.  Some sturdy language about "this is a contract" might be in order.

The only other thing I can think of is to go to the bank and ask their advice.  They will probably try to sell a merchant-account solution which could be expensive, but it might be less costly than trying to achieve PCI compliance in the existing application and server.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 200 total points
ID: 39260203
You don't get a break from PCI-DSS for being a low budget operation.  Credit card info in the electronic age can be used almost instantly around the world.  In addition, passing PCI scan is a quarterly thing at least.  And it's not just the internet part.  If he is storing credit card info on his system then he is supposed to be physically audited to make sure his physical security is adequate.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39262870
+1 for DaveBaldwin's comment!
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 200 total points
ID: 39263348
As a note, one of my clients couldn't pass PCI on Godaddy because the penetration scans couldn't get thru the protection software that Godaddy is now running.  In other words, we failed because they couldn't break in enough to run the tests.  They asked us to disable the protection software so they could run their tests.
0
 
LVL 17

Author Comment

by:nanharbison
ID: 39263578
This is all VERY helpful, thank you so much. The vendor is sending in their tech people to look at the set up and the manager will speak to Godaddy. Interesting that the protection software caused that problem.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39263747
We never did pass on Godaddy for that very reason.  It was shared hosting and the telephone people at Godaddy had no idea that the protection software even existed and the engineers didn't want to talk about it.  And they weren't going to turn it off for just one site on shared hosting.  Had to move the site to a PCI specialized hosting and had no problems there.
0
 
LVL 17

Author Comment

by:nanharbison
ID: 39265442
Wow, thanks for letting me know that too Dave.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39266582
Trustwave was the scanning company.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now