PCI Compliance/code injection

[derbypip]

Hey, Ive been struggling to get my site PCI compliant and they have a couple of issues with what seems to be Zen Cart related. Can someone help me understand these and what I can do about them.

This is was the information given to me:

1) Code Injection
Injected into the "products_id" form parameter (Using method GET) on
http://www.XXXXXX.com/products2/inde...7i28ujt5dm862:
14: <meta name="generator"content="shopping cart program

Solution
Ensure that the script properly validates user input before passing it to an interpreter for execution.

2) Missing Secure Flag From SSL Cookie
/products2/index.php
Cookie is not marked as secure: 'zenid=8njmvs57jf62j8h5ftnhcve4m7;path=/products2; httponly;domain=.www.sigproed.com'URL:
https://www.xxxxxx.com/products2/ind...ain_page=login

Solution:
Add the Secure flag to cookies sent over SSL
For each cookie sent over SSL in your web-site, add the "Secure" flag to the cookie. For example:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]

[DivaVocals]

See the posting tips (they appear above the reply box when posting or replying to a post.. Provide the information asked.. It will help folks help you..

[DrByte]

You've severely abbreviated the "proof" details required in order to recreate the scenario they allege.

We don't need you to post their suggested "solution", but we do need all the details of the allegation "proof of concept", for each case you think needs attention.
It helps also if you include their "severity rating".

And of course knowing your PHP version and MySQL version and server operating system and hosting company and a detailed list of all your addons/plugins/mods and coding changes you've made to your site. Without that information we can't reverse engineer the issue far enough to provide a fix.

[derbypip]

Sorry, let me try again.

Version v1.5.0 Not upgraded. Installed via ftp zc_install.

The only plugin/addon is a payment module from 'plug N pay'.

PHP Version: 5.3.23 (Zend: 2.3.0)
Database: MySQL 5.5.30-log
Hosting Company: Bluehost


Code Injection (spider code injection)
Severity Medium
CVSS Score 5.0 (AV:N/AC:L/Au:N/C/I:N/A:N)
Description Code injection is the general name for many types of attacks that involve introducing malicious code into applications. For example, attackers may send code as values of form fields or add argument values in uniform resource identifiers (URIs). These attacks exploit lack of accurate input/output data validation.Code injection vulnerabilities belong to the A1 category in the OWASP 2010 Top Ten Security Risks.
References OWASP2010:A1, URL: http://cwe.mitre.org/data/definitions/77.html, URL: https://www.owasp.org/index.php/Code_Injection

Instance -
/products2/index.php

Evidence -
Injected into the "products_id" form parameter (Using method GET) on
http://www.xxxx.com/products2/index....7i28ujt5dm862:
14: <meta name="generator" content="shopping cart program by Zen Cart&r...
15: <meta name="robots" content="noindex, nofollow" />
16:
17: <base href="http://www.xxxx.com/products2/" />
14:
...products_id=ec858356548858356548" />

Instance -
/products2/index.php

Evidence-
Injected into the "cPath" URL parameter (Using method GET) in
http://www.xxxx.com/products2/index....&products_id=2 by changing the URL
to
http://www.xxxx.com/products2/index....20&#39;8583565
48';&products_id=2
118:
119: <div class="centerColumn"id="productGeneral">
120:
121: <!bofForm start>
118:
...nfo&amp;cPath=858356548858356548&amp;products_id=2&amp;number_of_up...

Instance -
/products2/index.php

Evidence-
Injected into the "products_id" URL parameter (Using method GET) in
http://www.xxxx.com/products2/index....&products_id=2 by changing the URL
to
http://www.xxxx.com/products2/index....58356548&#39;%
20.%20'858356548';
14: <meta name="generator"
content="shopping cart program by Zen Cart&r...
15: <meta name="robots"
content="noindex, nofollow" />
16:
17: <base
href="http://www.xxxxx.com
/products2/" />
14:
...products_id=ec8583565488583
56548" />

3.2.7. Missing Secure Flag From SSL Cookie (http cookie secure flag)
Severity Medium
CVSS Score 5.0 (AV:N/AC:L/Au:N/C/I:N/A:N)
Description The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.
References OWASP2010: A3, URL: http://www.ietf.org/rfc/rfc2965.txt, URL: https://www.owasp.org/index.php/Test...8OWASPSM002%29

Instance
/products2/index.php

Evidence
Cookie is not marked as secure:
'zenid=8njmvs57jf62j8h5ftnhcve4m7;
path=/products2; httponly;
domain=.www.xxxx.com'
URL: https://www.xxxx.com/products2/index...ain_page=login

[RodG]

Sorry, let me try again.
<snip>
Instance -
/products2/index.php

'products2' isn't a standard folder with a default installation. Any idea where it comes from?

Cheers
Rod

[derbypip]

"Products2" is just the name of the folder I used to install zen cart.

"REMEMBER ... this guide uses the "/catalog" folder AS AN EXAMPLE. You don't "have to" use "/catalog". You could use something else, or nothing at all if you prefer to install in the "root" (which is the "base" of your website)."

I used the folder name products2 instead of catalog.

[RodG]

I used the folder name products2 instead of catalog.

Oh, OK. So much for my theory.

Cheers
Rod

[DrByte]

The data being passed by GET is being sanitized and is not triggering vulnerabilities. At least, thus far on a fresh install of v1.5.1 in preliminary investigations anyway.
Sure, numbers passed are being "used", but invalid characters are not causing security problems, because invalid characters are being stripped. It's perfectly acceptable for numbers and letters to be part of a products_id, and for numbers to be part of cPath.

If they can't provide a further proof of concept demonstrating a *real* security vulnerability, then you shouldn't accept a "fail" from them.

[derbypip]

Thanks Dr. Byte, I'll present this to the scan company.

Do you have any thoughts about my "Missing Secure Flag From SSL Cookie" issue?

[DrByte]

Do you have any thoughts about my "Missing Secure Flag From SSL Cookie" issue?

Only that most scan companies correctly categorize that as "Severity: Low" and "Compliance: Pass".