Not passing PCI compliance because 404 does not occur with a ~

[jpietrowiak]

Zen 1.3.9 with mods CEON URI/ numinix, shipping. I ran PCI Scan with company and they are telling me I'm not passing PCI compliance because 404 does not occur with a ~ after any URL. Here is what the PCI error says and the email from the PCI company. I've gone through and deleted all the .bak files and .old

PCI Error
Synopsis : It is possible to retrieve file backups from the remote web server. Description : By appending various suffixes (ie: .old, .bak, ~, etc...) to the names of various files on the remote host, it seems possible to retrieve their contents, which may result in disclosure of sensitive information. See also : http://projects.webappsec.org/Predictabl e-Resource-Location Solution: Ensure the files do no contain any sensitive information, such as credentials to connect to a database, and delete or protect those files that should not be accessible.



Email from PCI Company

http://example.com/new-products/~

vs.

http://example.com/new-products

It should not be pulling up the same page. It should be resulting in a
404 not found. This means you have a back up file here.

[DrByte]

Turn off your URL-rewriter addon until you fix whatever it's doing incorrectly.

[conor]

Hi Jamey,

PCI Error
Synopsis : It is possible to retrieve file backups from the remote web server. Description : By appending various suffixes (ie: .old, .bak, ~, etc...) to the names of various files on the remote host, it seems possible to retrieve their contents, which may result in disclosure of sensitive information. See also : http://projects.webappsec.org/Predictabl e-Resource-Location Solution: Ensure the files do no contain any sensitive information, such as credentials to connect to a database, and delete or protect those files that should not be accessible.

Another awful false positive by yet another waste of space programmer at a PCI company.

A lot of these companies are money-grabbing timewasters.

Ceon URI Mapping strips any invalid characters from the URI, ignoring these characters and therefore essentially protecting you from any effects of these types of "hacks".

PHP Code:

// Make sure that request URI has no invalid characters in it
$uri_to_match = preg_replace('/[^a-zA-Z0-9_\-\.\/%]/', '', $this->_request_uri); 


Using a different, "better" PCI company would obviously be the best option.

If you can't do that then chances are you'll have to add a condition to the rewrite rule or to remove the above line from

includes/classes/class.CeonURIMappingHandler.php

I'll post back here if I come up with any other solution.

All the best..

Conor
ceon

[conor]

Hi,

Forgot to post an example condition which stops this false positive:

Code:

# Prevent stupid false positives by bad PCI company's scan
RewriteCond %{REQUEST_URI} ![~]$ [NC]

However, the best option is to use a PCI company with better tests ("yes, but what if an alien read your mind and entered your password.. pay us for a scan so we can tell if they can do that").. it's such a money-driven industry, it's in their interests to have you fail so you keep coming back. :|

Ceon URI Mapping doesn't affect PCI compliance tests in general, its example rewrite rule works just fine with all PCI tests we've ever seen or heard of, until now - this is the first report of a problem with any compliance company.

This is just this specific test by this specific company that this condition needs to be applied for (securitymetrics.com apparently)

AVOID using securitymetrics.com! :)

All the best..

Conor
ceon

[jpietrowiak]

Gotta love it! Called tonight and talked to a guy that I talked to my first time with issues with Simple SEO before I switched to CEON URI (Much better). This guy sounded sharp at this stuff and Ok'd everything as it is with out the added rewrite rule you made for this. That rewrite rule also corrected the issue with them as well, so that worked like a charm for anyone else that has issues with your PCI company.

To give the securitymetrix rep credit for knowing what he is doing - thank you Clayton

Also cheers and big thanks to Conor for his support in getting this resolved!