No momento, estamos tentando alcançar a conformidade com a PCI usando o scanner de vulnerabilidade da Trustwave.
A versão do Magento é 1.5.1.0, rodando no CentOS 5.
Estamos reduzidos à última edição, de acordo com o relatório de Conformidade com PCI. Discutimos o problema, mas eles recusaram. Aqui estão os detalhes:
Problema:
The version of PHP running on this host is prone to a stack-based
buffer overflow in the socket_connect function in
ext/sockets/sockets.c which could allow context-dependent attackers to
execute arbitrary code via a long pathname for a UNIX socket.
This vulnerability has been addressed in a soon to be released version
of PHP, however, backported fixes to this issue may exist. Your vendor
should be contacted to determine if a solution is currently present.
Alternatively, removing the use of the socket_connect function from
all PHP applications will also mitigate this issue.
Minha disputa
(como em todos os outros problemas, enviei uma lista das versões exatas que estamos usando).
Apache: httpd-2.2.3-45.el5.centos.1
PHP: php-common-5.3.6-3.el5.art php-5.3.6-3.el5.art
php-mbstring-5.3.6-3.el5.art php-pear-1.7.2-2.el5.art
SSL: mod_ssl-2.2.3-45.el5.centos.1
SSH: openssh-4.3p2-72.el5_6.3 openssh-server-4.3p2-72.el5_6.3
Motivo da declinatura
We have denied this dispute based on the information provided
indicating that php-5.3.6-3.el5.art is running on this system.
Documentation showing that this version addresses php-5.3.6-3.el5.art
could not be found.
Please re-dispute this vulnerability and provide more detail or
evidence that this version has successfully addressed this finding
(such as by providing a vendor supplied link along with an
explanation/statement showing that this version addresses
CVE-2011-1938).
CVE Link http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1938
Estávamos nos perguntando se alguém conseguiu contornar esse problema com os testadores de vulnerabilidades do Magneto 1.5.1.0 e do PCI?
Nosso provedor de serviços (host da Web) gentilmente nos deu essa resposta:
Magento uses socket_connect quite extensively I believe. As I said in
a previous mail, I believe that Red Hat have de-prioritised the
urgency of patching this particular bug and as of yet, have not fixed
it.
https://www.redhat.com/security/data/cve/CVE-2011-1938.html
"The Red Hat Security Response Team has rated this issue as having low
security impact, a future update may address this flaw."
The fix has not been implemented in the Atomic Corp versions of the
packages either. I guess the next step may be to consider compiling
PHP from the Atomic source packages and manually fixing the bug, but
it may not be enough to satisfy the auditors without supporting
documentation from a recognised security body.
Esperamos que alguém tenha se deparado com esse problema antes e conheça uma solução alternativa.