Page Index Toggle Pages: 1
Topic Tools
Hot Topic (More than 10 Replies) McAfee Security Scan Fails (Read 4,968 times)
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,839
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: McAfee Security Scan Fails
Reply #12 - Nov 1st, 2010 at 11:28pm
Post Tools
1. - Please define what you mean by a subdomain

2. - Is this on your (or a clients) self-hosted server or a web host or VPS?

Huh
« Last Edit: Nov 1st, 2010 at 11:33pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Demon5
YaBB Newcomer
*
Offline



Posts: 1
Location: Sacramento, Cali
Re: McAfee Security Scan Fails
Reply #11 - Nov 1st, 2010 at 6:57pm
Post Tools
This is what mcafee sent me, and mine IS on a separate subdomain but it is on same server as store. yabb is making entire server non pci compliant....

GET /cgi-bin/xxxxxx/YaBB.pl?action=>"><" HTTP/1.1
Host: xxxxxxxxxxxxxxxxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.14) Gecko/20101001 Firefox/3.5.14 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive

Vulnerable Snipet:

<"" title = "Login" style="padding: 3px 0 4px 0;">

Full RAW Response:

HTTP/1.1 200 OK
Date: Mon, 01 Nov 2010 18:38:43 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: XXXXUser-XXXXX=; path=/; expires=Thursday, 01-Jan-1970 00:00:00 GMT;
Set-Cookie: XXXXPass-XXXXX=; path=/; expires=Thursday, 01-Jan-1970 00:00:00 GMT;
Set-Cookie: XXXXSess-XXXXX=; path=/; expires=Thursday, 01-Jan-1970 00:00:00 GMT;
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 10616
  

The Official Lord of the Net Website
http://www.lordofthe.net
Back to top
IP Logged
 
Matt Siegman
YaBB Legends (Inactive)
*
Offline



Posts: 3,380
Location: Wichita, KS
Re: McAfee Security Scan Fails
Reply #10 - Mar 20th, 2010 at 11:13pm
Post Tools
I don't suppose that you have some way of showing us what is required to reproduce this issue? I'm not understanding how this would do anything--although it is possible that something is wrong in the code (I'm not familiar with the Y2 internals on its responses), I would be surprised if user-generated data was contained in HTTP header responses.

Getting rid of newlines in all input would be insane. Then every time you hit <Enter> in the text fields to make new paragraphs in posts, we would have to use something other then a newline character--which is insane!
  

-- Matt Siegman 8) Wish List
Back to top
 
IP Logged
 
marcello
YaBB Newcomer
*
Offline



Posts: 13
Re: McAfee Security Scan Fails
Reply #9 - Mar 16th, 2010 at 6:29pm
Post Tools
Just wanted to let everybody know that moving the forum to its own subdomain got me past the scanner.

I will add the security stuff to the suggestion board (good idea Smiley)

I am by no means a Perl expert but the fix in PHP for sanitizing input was not overly complicated. Most likely it's not bad in Perl either.

Thanks again for all the input.

Marcello
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,839
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: McAfee Security Scan Fails
Reply #8 - Mar 16th, 2010 at 4:16pm
Post Tools
You might want to post that 'fix' idea to the YaBB 3 suggestions board, as it is currently in development.   Wink

My opinion: Security is an important consideration, but back-engineering an existing application to fit an unrealistic performance expectation is a poor use of very scarce resources.

Note that YaBB is written in Perl, so retro-fittting is not an impossible task.  You might be able to create a filter and error handler fairly easily.

As for moving it to a subdomain, I was actually about to suggest that.  I use subdomains to 'move off' my forums and blogs to subdomains like 'about', 'more', 'bravo' etc. - I just put them in their own virtual server.  So I think that is a good tactic.

Under that scenario, there is NO chance of being hijacked, as long as you break any cross-linking or content-stuffing between the secure and non-secure parts of the site.  (you ARE/will be ensuring they are not using the same credentials, right?)

The smaller you make the secure container, the better controls you will have.  In most cases that means the-ready to-process cart, account maintenance (my account) and customer service.  The bigger you make that container, the less secure you can be.

PCI compliance IS important, and at some point you have to do a cost-benfit analysis of what the other alternatives are. The cost of compliance can't eat up your bottom line for a site.

Good Luck

Smiley

Edited:
To show how different the security outlook on YaBB can be, take a look at this topic, where a hack is created that undoes a previously patched hole
http://www.yabbforum.com/community/YaBB.pl?num=1243504409
I noticed it on my last 'patrol' of YaBB here and thought of its relevance to this discussion
« Last Edit: Mar 16th, 2010 at 5:03pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
marcello
YaBB Newcomer
*
Offline



Posts: 13
Re: McAfee Security Scan Fails
Reply #7 - Mar 16th, 2010 at 7:51am
Post Tools
Thanks a lot for your feedback.
I had a talk with McAfee about this issue and their take is that the application (Yabb) would have to be fixed to prevent hackers from using YaBB.pl to compromise the entire site.

It is not really about that we are storing sensitive info in Yabb (we are not) but Yabb could be potentially misused to get to sensitive info on the site.

So Yabb would have to sanitize all user input and remove the following characters in order to be safe (see General Solution in previous post).
%0D
%0A
%0D%0A
\r
\n
\r\n

I had to do a similar exercise to sanitize all php input parameters coming from URLs. e.g. http://website.com/page.php?parameter1=value1&parameter2=value2

Yabb is using a similar mechanism e.g. ...YaBB.pl?num=1268532875;action=post2
The special characters listed above would have to be stripped from these input parameters (they have no practical use in the parameters except for hacking).

There might be a workaround and that is to move the forum to its own subdomain. This will hopefully hide the forum from the security scanner.
BUT IT DOES NOT FIX THE ACTUAL VULNERABILITY. Hackers could use a subdomain as easily as a subdirectory in the doc root.

Marcello
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,839
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: McAfee Security Scan Fails
Reply #6 - Mar 15th, 2010 at 4:29pm
Post Tools
Not to beat a dead horse, but as a consultant  (I'm also the owner of a site)  I would have made this recommendation to a client in a situation like yours:

Create an appropriate Privacy Policy for the Forum, irrespective of whether how you planned to make the member/login decision. This will set proper expectations.

Actively warn against posting anything relating to customer service that is identifiable.

If you are going to support members/logins, ensure that your policies/business rules/logic prevent customers from using the same credentials as are used for your secure applications.

As Captain John noted, general purpose forum software is inappropriate for Customer Service applications.  It is a good place for support and product questions and feedback from customers and the public.  These are in the same scope as blogging or tweeting.  No expectations are elevated this way.

Provided you create proper expectations, and as long as you don't cross-link credentials and/or hotlink beween secure and non-secure parts of your site, you should be OK.

Once the language and policies were in place, and any cross-linking removed, you would be able to move the forum to a non-secured environment.

Good Luck with your site, you seem to have the right idea.

Smiley
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Captain John
Ex Member


Re: McAfee Security Scan Fails
Reply #5 - Mar 15th, 2010 at 4:54am
Post Tools
As we stated ... a forum is NOT a place for critical info.  NO forum in ANY programming language will provide the security needed for critical credit card or critical customer info.

   The YaBB software IS w3c/xhtml compliant and the RSS feed is validated.  YaBB software security IS one of the Highest evaluated forums in use today.  The ONLY other thing that can or could be done is making it P3P compliant and we gave you that info.

   Remove the forum from the security blanket and then you only need to have your cart secured.
« Last Edit: Mar 15th, 2010 at 4:57am by »  
Back to top
 
IP Logged
 
marcello
YaBB Newcomer
*
Offline



Posts: 13
Re: McAfee Security Scan Fails
Reply #4 - Mar 15th, 2010 at 1:08am
Post Tools
Here is some more info on the issue:
As I understand it, all input to the forum would have to be sanitized as described below.

Quote:
Description
HTTP response splitting is the ability for an attacker to modify the headers of an HTTP response due to lack of input validation on requests that are sent to the application server.

A vulnerable web application or web server allows the user to insert a Carriage Return (%0D or \r) and/or a Line Feed (%0A or \n) into the headers of an HTTP response. This is usually done by sending modified requests to the web application and the web application responding with the user supplied data being inserted into a header. The attacker then constructs and attack using a CRLF (Carriage Return-Line Feed) attack that has the client interpret the data as 2 separate responses.

These types of attacks are a means to an end and usually have a payload of:

Cross-User Defacement/Page Hijacking:
The ability for an attacker to affect a single user of a web application usually showing a "defaced" website. The payload is usually session hijacking, page defacement, or account compromise through interception of user credentials.

Cache Poisoning:
The ability for an attacker to affect multiple users of a cache server. This specific situation involves the victims to be using the same proxy/cache server as the attacker and is similar to Cross-User Defacement, except it affects more than one user at a time.

Browser cache poisoning:
This allows an attacker to cache a web page the attacker controls for a long period of time. Whenever the user requests the page again, the malicious cached page is loaded.

Cross-Site Scripting (XSS):
The ability for an attacker to run client side content (such as HTML, Flash, Quicktime and JavaScript) in the domains context. The payload is usually to exploit the users browser to compromise the file system and install Trojans and Malware.



Quote:
General Solution
All input that is sent to a web application should not be trusted and should be assumed malicious. Characters such as Carriage Return (CR) and Line Feed (LF) should be removed from all requests before being interpreted by the web application server.

An attacker can also use encoded Carriage Returns and Line Feeds to exploit the web server, and user-specified Carriage Returns and Line Feeds serve no business purpose on a web server. Filter the following characters from all user supplied input:

%0D
%0A
%0D%0A
\r
\n
\r\n
  
Back to top
 
IP Logged
 
marcello
YaBB Newcomer
*
Offline



Posts: 13
Re: McAfee Security Scan Fails
Reply #3 - Mar 14th, 2010 at 4:26pm
Post Tools
I appreciate all your input and I will do more research.

In regards to PCI; it is about credit card security but also includes sensitive customer data. From that point of view even a login into a forum is considered sensitive data.
I had to move the forum to HTTPS for that reason...

I will post back with more info as soon as possible.

Thanks again,
Marcello


  
Back to top
 
IP Logged
 
Captain John
Ex Member


Re: McAfee Security Scan Fails
Reply #2 - Mar 14th, 2010 at 4:31am
Post Tools
Jonb .. is absolutely correct ... the forum should not be within the security wrapper for PCI Compliance, since that standard is not for forums.  PCI is the standard for Credit Card transactions, effecting
Quote:
storing “prohibited” PCI data (e.g.,  magnetic stripe , CVV codes, track data etc)

   If you really want "P3P Privacy Compliance Standard", you must setup the site as directed here:
  http://codex.yabbforum.com/YaBB.pl?num=1192159975
« Last Edit: Mar 14th, 2010 at 4:41am by »  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,839
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: McAfee Security Scan Fails
Reply #1 - Mar 14th, 2010 at 3:15am
Post Tools
Perhaps you could explain the vulnerability to us?

I'm also (personally) a bit lost how a forum wound up inside your security wrapper, generally such things are outside the wrapper.  Maybe that is the real issue here.

Just 'my' opinion...

Good Luck
Smiley

Edited:
Your PCI certifier/reviewer is the right organization to address this kind of issue with.


Check this link:
http://groups.drupal.org/node/48253

its a 'similar' issue, BUT it involves the cart - i.e. it IS relevant (even if not a risk) 

One last one - a GOOD discussion:
http://blogs.zdnet.com/security/?p=1025
Smiley
« Last Edit: Mar 14th, 2010 at 3:30am by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
marcello
YaBB Newcomer
*
Offline



Posts: 13
McAfee Security Scan Fails
Mar 14th, 2010 at 2:14am
Post Tools
We are using McAfee security scan. However, Yabb fails the scan with HTTP Response Splitting error.
This error prevents us from displaying the McAfee Secure image (see below)

And we would never pass a PCI scan.

I am totally stuck on this one and I may have to take the forum down all together...

Below is some more info on the type of error McAfee is complaining.
Quote:
Vulnerability Detail
Device      www.mmdesign.com (74.124.198.84)
Vulnerability      HTTP Response Splitting
Port      443/tcp
Scan Date      12-MAR-2010 06:23


URL
Protocol      https      Port      443      Read Timeout      10000      Method      POST      Demo
Path      /yabb2_4/YaBB.pl
Query      action=jump
Headers      Referer=http%3A%2F%2Fwww.mmdesign.com%2Fyabb2_4%2FYaBB.pl
Content-Type=application%2Fx-www-form-urlencoded
Body      values= Content-Type: text/html Mcafee: ResponseSplitting Content-Type: text/html
formsession=072A3020102C3B63052C31362E0436263037430


Any help is greatly appreciated,

Marcello
  
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
 
  « Board Index ‹ Board  ^Top