PriMoThemes — now s2Member® (official notice)

This is now a very OLD forum system. It's in READ-ONLY mode.
All community interaction now occurs at WordPress.org. See: new forums @ WordPress.org

PCI Compliance Script Issues

s2Member Plugin. A Membership plugin for WordPress®.

PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 2nd, 2011, 10:35 pm

We are currently running 111029 and we are hitting a wall with the PCI Scan. Its been brought to our attention that would should see if you have a possible fix for your script.

Here is a copy of part of the scan that involved s2Member Pro

XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the layout of a particular page for a specific user or to force the user
to launch malicious javascript.
Cross site scripting occurs when user input is not properly encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode most non-alphanumeric user-supplied data into their
corresponding HTML characters before the data is displayed back to the user. For example, " would convert to &quot and <
would convert to &lt;
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.


Please reach out as soon as you can.

Thanks,
Jeremy
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby Cristián Lávaque » December 4th, 2011, 2:02 am

Thanks Jeremy. Could you show us where in s2Member that is the case so we look into it? :)
Cristián Lávaque http://cristianlavaque.com
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010

Re: PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 4th, 2011, 6:22 am

From what I received from the scan its looks to be a cross site script from a web service called fritiko. Here is a copy/paste of the scan result. And thanks for the assistance on it.

Cross-Site Scripting
Web Services :: Fritko
ID
300004
Port
TCP:80
Risk
3
Path: /member-registration
XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the layout of a particular page for a specific user or to force the user
to launch malicious javascript.
Cross site scripting occurs when user input is not properly encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode most non-alphanumeric user-supplied data into their
corresponding HTML characters before the data is displayed back to the user. For example, " would convert to &quot and <
would convert to &lt;
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 6th, 2011, 5:03 am

Anything on this yet?
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 9th, 2011, 5:27 am

Anyone around here?
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby Jason Caldwell » December 10th, 2011, 12:38 am

Thanks for the heads up on this thread.
~ and thanks for reporting this important security issue.

Interesting. s2Member does not interact with this service:
Code: Select all
Web Services :: Fritko

What PCI scanning service are you using please?
Also, what you posted prior is a general outline of the issue that was detected. It does not point to anything specific, nor does it isolate the issue to s2Member. Please check your full PCI compliance scan and associated reports. Look for the exact test your scanning service performed, which would allow you to reproduce the issue. For XSS, this would normally include a URL with a particular query string.
Code: Select all
Path: /member-registration
( not enough to go on )

* Note: we are not currently aware of any XSS vulnerability in s2Member or s2Member Pro. However, if you have a report that indicates there is, please post that information. We'll be happy to review it.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 17th, 2011, 7:29 pm

I hope this helps this is exactly line by line from the scan: I am still attempting to get more information from the company that did the scan.


Port Threat Name Risk Level Dispute Status Actions
300004 80 Cross-Site Scripting High (3)
Threat ID: 300004
Details:
IP Address: 50.56.134.155
Host: www.protectanddefend.org
Path: /member-registration

THREAT REFERENCE

Summary:
Cross-Site Scripting

Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004

Information From Target:
Regular expression ".{0,1}'.{0,1}"> " matched contents of /member-registration.

Query Parameters
• s2member_pro_authnet_checkout[card_start_date_issue_number] -
• s2member_pro_authnet_checkout[card_number] -
• s2member_pro_authnet_checkout[card_verification] -
• s2member_pro_authnet_checkout[first_name] -
• s2member_pro_authnet_checkout[city] -
• s2member_pro_authnet_checkout[email] -
• s2member_pro_authnet_checkout[username] -
• s2member_pro_authnet_checkout[last_name] -
• s2member_pro_authnet_checkout[state] -
• s2member_pro_authnet_checkout[street] -
• s2member_pro_authnet_checkout[card_expiration] -
• s2member_pro_authnet_checkout[card_type] - Amex
• s2member_pro_authnet_checkout[zip] -
• s2member_pro_authnet_checkout[attr] - fnIyOnpzemxGcHAweTBRZ3dDcnBVNXBlS3h3VnAwUEZSbmdxfHY4vzbG8zG1HqGghS4C92GV43VRKFftAc5MyQI_mDEZaBmIN4p7
• s2member_pro_authnet_checkout[password2] -
• s2member_pro_authnet_checkout[coupon] - '">
• s2member_pro_authnet_checkout[nonce] - b45185b09d
• s2member_pro_authnet_checkout[password1] -
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:

XSS is a type of computer security vulnerability typically found
in web applications which allow code injection by malicious web
users into the web pages viewed by other users. Examples of such
code include HTML code and client-side scripts.


An attacker can use this vulnerability to completely alter the
layout of a particular page for a specific user or to force the
user to launch malicious javascript.


Cross site scripting occurs when user input is not properly
encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode
most non-alphanumeric user-supplied data into their corresponding
HTML characters before the data is displayed back to the user. For
example, " would convert to &quot and < would convert
to &lt;


There are built in functions for different languages that may do
the encoding for you. In PHP you can use the htmlspecialchars()
function In .Net you can use the Server.HtmlEncode() function.
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby Jason Caldwell » December 18th, 2011, 11:18 am

Thanks for the follow-up.

I'm not aware of any issue in this regard. All of these variables are sanitized by s2Member before they are used and/or displayed back to the user. Your report indicates otherwise. If you have more information you can provide, we'll be happy to have a look. This list just shows the variables, it doesn't show the vulnerability being reproduced yet. I suspect this is a false positive.
Code: Select all
• s2member_pro_authnet_checkout[card_start_date_issue_number] -
• s2member_pro_authnet_checkout[card_number] -
• s2member_pro_authnet_checkout[card_verification] -
• s2member_pro_authnet_checkout[first_name] -
• s2member_pro_authnet_checkout[city] -
• s2member_pro_authnet_checkout[email] -
• s2member_pro_authnet_checkout[username] -
• s2member_pro_authnet_checkout[last_name] -
• s2member_pro_authnet_checkout[state] -
• s2member_pro_authnet_checkout[street] -
• s2member_pro_authnet_checkout[card_expiration] -
• s2member_pro_authnet_checkout[card_type] - Amex
• s2member_pro_authnet_checkout[zip] -
• s2member_pro_authnet_checkout[attr] - fnIyOnpzemxGcHAweTBRZ3dDcnBVNXBlS3h3VnAwUEZSbmdxfHY4vzbG8zG1HqGghS4C92GV43VRKFftAc5MyQI_mDEZaBmIN4p7
• s2member_pro_authnet_checkout[password2] -
• s2member_pro_authnet_checkout[coupon] - '">
• s2member_pro_authnet_checkout[nonce] - b45185b09d
• s2member_pro_authnet_checkout[password1]
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 18th, 2011, 12:42 pm

Thanks again for looking into this. I have submitted a support ticket with our people to run our own PCI Scan so we have a clear visual on the hits. I will be in touch soon.

Jeremy
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 19th, 2011, 10:22 pm

I received information back from our PCI Scan:

Jeremy



I have attached proof of concept that the cross-site scripting threat is legitimate. I was able to pop it on the www.protectanddefend.org/member-registration pageJust some background information that may assist your developers, I was able to manually verify the cross-site scripting by using a proxy and intercepting the request. Once I intercepted the request, I was able to change the s2member_pro_authnet_checkout[card_type] to "Amex" (American Express isn't one of the selectable options originally) and I was also able to insert the script into the s2member_pro_authnet_checkout[coupon] parameter.

Chris Martin
Sr. Security Analyst
ControlScan, Inc.
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby Jason Caldwell » December 20th, 2011, 6:41 am

Thank you very much. Investigating now.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: PCI Compliance Script Issues

Unread postby Jason Caldwell » December 20th, 2011, 8:52 am

Investigation completed.
Thanks for reporting this important issue.

1. Proxy Coupon Code with special chars.
Fixed in development copy. Coming in release of 111220 later today.

2. Card Type = Amex, against accept attribute.
Fixed in development copy. Coming in release of 111220 later today.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: PCI Compliance Script Issues

Unread postby Jason Caldwell » December 20th, 2011, 11:36 am

Resolved in s2Member and s2Member Pro v111220.
http://wordpress.org/extend/plugins/s2member/changelog/

v111220

(s2Member Pro) Security fix. PayPal® Pro and Authorize.Net® Forms were vulnerable to an XSS attack, reproducible with a Coupon Code containing special characters. Discovered by ControlScan™. Fixed in this release. For further details, please see this thread.

(s2Member Pro) Security hardening. s2Member's Systematics routine hardended against a possible attack coming from a spoofed IP address matching that of the installation server itself. For further details, please see this thread.

(s2Member Pro) Security hardening. PayPal® Pro and Authorize.Net® Forms hardended against a possible attack against card types. Discovered by ControlScan™. For further details, please see this thread.

99% Resolved ( awaiting confirmation )
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 20th, 2011, 5:31 pm

I personally wanted to thank you for such a quick resolve on this. I have turned it back over to ControlScan to run hopefully a final scan on this matter. I will update if there are anymore findings.


Jeremy
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby jfmetcalf1 » December 20th, 2011, 8:04 pm

Cross Scripting was Resolved on the PCI Scan. Thank you for the assistance.

Jeremy
User avatar
jfmetcalf1
Registered User
Registered User
 
Posts: 9
Joined: December 2, 2011

Re: PCI Compliance Script Issues

Unread postby Jason Caldwell » December 20th, 2011, 8:16 pm

Resolved. Thanks for the confirmation.
~ You're very welcome.

100% Resolved
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA


Return to s2Member Plugin

Who is online

Users browsing this forum: Bing [Bot], Exabot [Bot], Google [Bot], Yahoo [Bot] and 3 guests

cron