On Tue, Jun 02, 2009 at 10:01:02AM -0500, Skip Evans wrote:
> Hey all,
>
> Some may remember my question awhile back about ensuring all
> CC forms are behind https. I've always put them so, but I've
> taken over maintenance on a site that did not and have since
> corrected the problem.
>
> Now the client is going for PCI compliance as a requirement by
> their credit card processor and we have been dealing with
> issues determined risks by Security Metrics, most which were
> legit (except one thinking IIS was running on a Linux
> server!), but this one has me scratching my head.
>
> The original programmer created the following in the system's
> .htaccess file:
>
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule .* index.php
>
> ...which sends any incorrect URL to the home page, correct?
> But Security Metrics, as part of their test ran two URLs
> through the system that while both displaying the home page
> had different things in the header, which they flagged as an
> issue. Here is there explanation below, but my question is,
> why is this considered a security risk, and what suggestions
> might some of you have to correct it?
>
> Thanks much!
> Skip
>
> ----------------------
> The reason why this issue is being flagged is simply that both
> links should bring you to the same page but if look at the
> HTTP header response (http://www.ranghart.com/cgi-bin/?D=A) it
> returns a 403 forbidden even though it still takes you to the
> main site page, with the other URL
> (http://www.ranghart.com/cgi-bin/%3fD=A) it is returning a 200
> OK when it is the same page as the URL that is returning a
> 403. You will need to make sure that the pages are responding
> in the same way to correct this issue.
> ---------------------
I can't answer your question, but let me just sympathize. I'm a MOTO
merchant, meaning I never see an actual credit card. But I don't do any
credit card transactions online. It's all done with a little dialup
gizmo in my office. But I keep credit card numbers on one of our
servers, behind a firewall, blah blah blah. I just had to take a stupid
PCI compliance test comprising upwards of 200 questions. Not only that,
but I have to *pay* for the test and be penalized if I don't take it.
If I didn't have to take credit cards to stay in business, I'd tell the
credit card companies to go pound sand.
Paul
--
Paul M. Foster
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
