CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviContribute (Moderator: Donald Lobo) »
  • Reset parameter causes PCI compliance to fail
Pages: [1]

Author Topic: Reset parameter causes PCI compliance to fail  (Read 1090 times)

nocabt

  • I post occasionally
  • **
  • Posts: 45
  • Karma: 1
Reset parameter causes PCI compliance to fail
January 03, 2013, 04:23:23 pm
We just failed PCI compliance scan, and one of the errors was about the reset parameter being vulnerable to HTML injection. We're running Drupal 7.18 and CiviCRM 4.1.3. Full message below.  I'm going to dispute this, I just need to know the best way to do so?

GET HTTP method, SecurityMetrics found that : + The following resources may be
vulnerable to HTML injection : + The 'reset' parameter of the
/civicrm/contribute/transact CGI : /civicrm/contribute/transact?
reset=<minnew%0A> -------- output -------- Last-Modified: Sat, 22 Dec 2012
01:54:47 +0000 Cache-Control: no-cache, must-revalidate, post-check=0, precheck=0 Location: https://www.DOMAIN.org/civicrm/contribute/transact?res
et=<minnew%0A> X-Powered-By: PleskLin CF-RAY: 249adc4d1400291 ----------------
-------- + The 'id' parameter of the /civicrm/contribute/transact CGI :
/civicrm/contribute/transact?id=<minnew%0A> -------- output -------- Last-Modified:
Sat, 22 Dec 2012 01:54:49 +0000 Cache-Control: no-cache, must-revalidate, postcheck=0, pre-check=0 Location:
https://www.DOMAIN.org/civicrm/contribute/transact?id= <minnew%0A> XPowered-By: PleskLin CF-RAY: 249add471400291 ------------------------ + The 'reset'
parameter of the /civicrm/contribute/transact CGI : /civicrm/contribute/transact?
reset=<minnew%0A>&id=2 -------- output -------- Last-Modified: Sat, 22 Dec 2012
01:54:53 +0000 Cache- Control: no-cache, must-revalidate, post-check=0, precheck=0 Location: https://www.DOMAIN.org/civicrm/contribute/transact?res
et=<minnew%0A>&id=2 X-Powered-By: PleskLin CF-RAY: 249ade8e1400291 ---------
--------------- + The 'id' parameter of the /civicrm/contribute/transact CGI :
/civicrm/contribute/transact?reset=1&id=<minnew%0A> -------- output -------- LastModified: Sat, 22 Dec 2012 01:54:55 +0000 Cache- Control: no-cache, mustrevalidate, post-check=0, pre-check=0 Location:
https://www.DOMAIN.org/civicrm/contribute/transact?res
et=1&id=<minnew%0A> X-Powered-By: PleskLin CF-RAY: 249adfae1400291 ---------
--------------- Clicking directly on these URLs should exhibit the issue : (you will
probably need to read the HTML source)
http://www.DOMAIN.org/civicrm/contribute/transact?reset =<minnew%0A>
http://www.DOMAIN.org/civicrm/contribute/tran sact?id=<minnew%0A>
Other references : CWE:80, CWE:86 Resolution: Either restrict access to the
vulnerable application or contact the vendor for an update. Risk Factor: Medium/
CVSS2 Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

jcm55

  • I post occasionally
  • **
  • Posts: 96
  • Karma: 14
Re: Reset parameter causes PCI compliance to fail
January 03, 2013, 05:36:59 pm
I had this same problem with our PCI compliance scan.  I'm guessing you have "Force Secure URLs" enabled?  If yes, then any time the PCI scanner hits an http URL (instead of https), CiviCRM responds with a 302 redirect, and the secure (https) version of the URL that was just requested appears in the "Location:" header of the response.  If the request had injected HTML, it will also appear in the "Location:" header in the response, which causes the PCI scanner (Security Metrics in our case) to flag it.

I disputed this as a false positive / non-issue and they agreed.  I do have to renew the dispute every quarter though, which is a pain.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Reset parameter causes PCI compliance to fail
January 03, 2013, 08:37:38 pm

if there is anything we can / should do to fix this and make it easier for folks going forward we should do it

In this case, i just checked and seems like we just do a simple redirect of the url as is to the https equivalent

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

jcm55

  • I post occasionally
  • **
  • Posts: 96
  • Karma: 14
Re: Reset parameter causes PCI compliance to fail
January 04, 2013, 07:42:46 am
I created CRM-11589 for this.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Reset parameter causes PCI compliance to fail
January 04, 2013, 08:38:05 pm
jim:

can u take a look and see if u can come up with a patch for this. the relevant redirect code is at:

CRM/Utils/System.php, function redirectToSSL

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviContribute (Moderator: Donald Lobo) »
  • Reset parameter causes PCI compliance to fail

This forum was archived on 2017-11-26.