Validate Website as Secure for Transactions with PCI DSS

PCI DSS is reference for Payment Card Industry Data Security Standard. As per Payment Card Industry Security Standard Council, this security standard was created for the organizations that holds cardholders information of Debit cards, Credit Cards, ATM, Prepaid and e-purse. PCI DSS was emerged to reduce credit card frauds by controlling cardholders data and information. PCI DSS version 2.0 must be adopted by all the organizations that holds the cardholders information till 1st January 2012. On such websites, Qualified Security Assessor [QSA] that creates a Report on Compliance run scan to find any kind of Vulnerability on Web Server.

If any vulnerability gets found they send the report to the owner of the website which included following points in report:

A] Severity of Vulnerability like:

  • Urgent
  • Crtical
  • High
  • Medium
  • Low

B] Category of Vulnerability like:

  • No. of vulnerability in Web Server
  • No. of vulnerability in Web Application
  • Other Vulnerablity

C] List of all Vulnerabilities with complete discription and their possible solutions to mitigate or to resolve the vulnerability.

NOTE: Most of the Vulnerabilities can be resolved by just updating your server including version of Web Server, PHP, Mysql and SSL.

Once all the vulnerabilities gets resolved, websites passes the PCI DSS standard. I had worked on such website few months back and today i am gonna show you the vulnerability and what i did to resolve them.

 

Vulnerability 1.  Full Path Disclosure

Solution: To resolve this issue,  Set display_errors = ‘off’ in php.ini, to make sure apache do not returns an error message that includes information of the error, as well as the operating path of the targeted script.

NOTE: Most of the vulnerability can be resolved by just updating your Server including versions of your Web Server, SSL and PHP. I had upgraded my server from Centos 5.5 to latest Ubuntu 13.04.

Vulnerability 2.  ICMP Timestamp Request Remote Date Disclosure

Solution: Block ICMP Timestamp request using Ubuntu Firewall. Following firewall rule was implemented to drop icmp requests:

-A ufw-before-input -p icmp -m icmp –icmp-type 13 -j DROP

Vulnerability 3. TCP/IP Timestamps Supported

Solution: Disable TCP/IP Timestamp request by changing value from default 1 to 0 in timestamp configuration file “/proc/sys/net/ipv4/tcp_timestamps”.

Vulnerability 4. SSL Server Accepts Weak Diffie-Hellman Keys

Solution: To resolve this vulnerability, do make changes in servers SSL configuration file ‘ssl.conf’  and added following 2 lines:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Vunerability 5. Apache HTTP Server Byte Range DoS

Solution: Enable Apache ‘header’ module and added following lines in apache configuration files apache2.conf:

SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range

Vunerability 6. Website Directory Listing

Solution: Simply add ‘-Indexes’ in directory section of website to stop directory listing.

Vulnerability 7. Sensitive Cookie Missing ‘HTTPONLY’ Attribute

Solution: For session cookies managed by PHP, we set following flag in servers php.ini file:

session.cookie_httponly = True

You can leave a response, or trackback from your own site.

Leave a Reply