3dcart Shopping Cart Software

Shopping Cart Software

Live Chat 800-828-6650

Go Back   3dcart Shopping Cart Software Forums > Shopping Cart Software > General Configuration Questions

Closed Thread
 
LinkBack Thread Tools Display Modes
  #1  
Old 06-06-2011, 09:57 AM
3dCart User
 
Join Date: Nov 2009
Posts: 87
Default FTP And PCI Compliance

Back on August 17, 2010, I suggested to 3dcart (Ticket ID WBM-544060) that they support SFTP, and allow us to disable regular FTP, in order to enhance security. At the time, I was told that this feature request would be forwarded to the developers.

Several days ago, my site failed the McAfee PCI Compliance scan, because of the following vulnerability:
FTP Supports Clear Text Authentication.

The remote FTP server allows the user's name and password to be
transmitted in clear text, which may be intercepted by a network
sniffer, or a man-in-the-middle attack.

Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In
the latter case, configure the server such that control connections are
encrypted.
When I brought this to the attention of 3dcart technical support, I was advised to give them my McAfee login credentials, and they would enter this as a false positive. Obviously, I didn't do this, and argued that this was NOT a false positive, but was an actual vulnerability that prevents PCI Compliance. After a fair amount of back and forth, I was told, "In that case, the resolution for this issue will need to wait until we have implemented SFTP or FTPS in a future release. I will close this ticket for now."

Frankly, I am amazed by this response. 3dcart makes a lot of noise about being PCI Compliant. How can any 3dcart store be truly PCI Compliant, without supporting SFTP or FTPS? How are the rest of you dealing with this issue?
__________________
www.stsi.com
Network Infrastructure and Fiber Optics (AMP/Tyco, APC, Belden, Corning, Hubbell, Leviton, Ortronics, Panduit), Audio, Computer, and Video Cables, and much more!
  #2  
Old 06-07-2011, 12:24 AM
3dcart Geek
 
Join Date: Jun 2010
Posts: 639
Default

We had a similar issue come up back when we first switched over to 3dCart. We gave 3dC support our scanning login information as requested, they confirmed it was a False Positive and we forwarded this information over to our scanning company. They agreed it was a False Positive as well and our scans have been fine ever since.
  #3  
Old 06-07-2011, 07:46 AM
3dCart User
 
Join Date: Nov 2009
Posts: 87
Default

Quote:
Originally Posted by piaf View Post
We had a similar issue come up back when we first switched over to 3dCart. We gave 3dC support our scanning login information as requested, they confirmed it was a False Positive and we forwarded this information over to our scanning company. They agreed it was a False Positive as well and our scans have been fine ever since.
We have had true false positives as well, but I really don't think this is a false positive. The PCI Compliance standards are pretty clear on this issue. Plain text authentication of ftp is a Level 4 (Critical) issue for PCI. Since that's exactly what 3dcart does, without offering SFTP as an option, I don't see how this can't be considered a true vulnerability.
__________________
www.stsi.com
Network Infrastructure and Fiber Optics (AMP/Tyco, APC, Belden, Corning, Hubbell, Leviton, Ortronics, Panduit), Audio, Computer, and Video Cables, and much more!
  #4  
Old 06-08-2011, 11:03 PM
3dCart User
 
Join Date: Apr 2011
Posts: 95
Default

Im having the same problem with Mcafee. so I need to open a ticket so that 3d cart can note it as a false negative?
  #5  
Old 06-09-2011, 06:38 AM
3dCart User
 
Join Date: Nov 2009
Posts: 87
Default

Quote:
Originally Posted by sisbrown34 View Post
Im having the same problem with Mcafee. so I need to open a ticket so that 3d cart can note it as a false negative?
According to 3dcart technical support, you need to open a ticket so that they can help you report this as a false positive to McAfee. According to ME, 3dcart needs to fix this vulnerability, since it is NOT a false positive, and prevents any 3dcart store from being PCI compliant.
__________________
www.stsi.com
Network Infrastructure and Fiber Optics (AMP/Tyco, APC, Belden, Corning, Hubbell, Leviton, Ortronics, Panduit), Audio, Computer, and Video Cables, and much more!
  #6  
Old 06-09-2011, 10:41 AM
Administrator
 
Join Date: Jul 2010
Posts: 151
Default

Hi Craig60

PCI compliance standards dictate that systems used for processing, storing and transmitting credit card data must be contained in a secured network environment.

Access to the source ASP files which control the store’s functionality - including payment gateway integration and data handling - are completely off limits. This is why downloading an ASP file from your root folder will error out. They’re simply off limits. Furthermore, as part of our compliance with PCI standards, the credit card information itself is NEVER actually stored by the store’s source coding. We merely pass the information to the gateways and their respective modules (when applicable) for processing.

With that being said, the FTP access you are granted with 3dcart is strictly for the uploading and maintenance of site design files. The only files that can be accessed, retrieved and edited via FTP are basically images, theme templates, CSS and various javascript files that control the look and feel of your site. These types of files fall outside of the realm of PCI compliance standards. Therefore, it is not necessary to have the FTP credentials transmitted in Secure FTP; simply because the actual source code is protected at the server level.

Unfortunately, the standard PCI scans available with services such as McAfee don’t generally delve into the FTP access this deeply. They merely see that the credentials are transmitted in cleartext and return with the notification that the server is not compliant. However, if the scan were to somehow try to actually ACCESS the source code, it would be unable to. This is why we generally refer to these notices as “false positives.”

When we receive a ticket in regards to these scans, we generally run a scan on your behalf with your McAfee credentials. We then reach out to McAfee, explain the situation to them so they review the data themselves and they will then mark the result as a false positive. You can also do this yourself, but to save time we usually do it for you as a courtesy since we are in a better position to provide McAfee with any server information they might need to confirm their findings.

If the concern is with providing us with your McAfee login credentials, then might I suggest creating a different profile on your McAfee account JUST for 3dcart technical support (if possible)? Or perhaps temporarily change your McAfee login just for our use. This way, we can still run the scan on your behalf, inform McAfee of the situation and correct this for you. Then, after all is said and done, you can simply remove the second profile or reset your password without ever having to divulge your original login information. I fully understand your reluctance to provide login credentials, but I assure you we only ask for them in order to intervene on your behalf as a courtesy.

Again, you can likely reach out to McAfee personally and have them clear this up for you. However, if you run into any issues with them, we can still go the Support Ticket route. If necessary, McAfee can review our PCI credentials at the following link.

VISA PCI Compliant Shopping Cart | About 3DCart Shopping Cart Software
  #7  
Old 06-09-2011, 11:13 AM
3dCart User
 
Join Date: Nov 2009
Posts: 87
Default

Henry,

Thank you very much for the extremely detailed explanation. Based on this information, it appears to me that even though this vulnerability exists, it is OUT OF SCOPE for PCI Compliance. (As opposed to being a true false positive.) I was concerned that technical support appeared to be trying to cover this up, rather than dealing with the actual vulnerability. Your explanation seems to acknowledge the vulnerability, but places it outside the scope of PCI compliance. And that is a satisfactory answer for me. (I hope it's acceptable to McAfee.) I have passed this information on to McAfee, and I will report back on the results.

Thanks again for taking the time to respond.
__________________
www.stsi.com
Network Infrastructure and Fiber Optics (AMP/Tyco, APC, Belden, Corning, Hubbell, Leviton, Ortronics, Panduit), Audio, Computer, and Video Cables, and much more!
  #8  
Old 06-10-2011, 08:47 AM
3dCart User
 
Join Date: Nov 2009
Posts: 87
Default

Well, McAfee did indeed accept Henry's explanation regarding this issue. (And they marked this as a false positive, just as Henry said they should.) Once again, I want to thank Henry for the detailed explanation as to why this vulnerability is outside the scope of PCI. That helped a lot!

If anyone else has this problem, I suggest they cut and paste the information that Henry gave me, and pass it on to McAfee.
__________________
www.stsi.com
Network Infrastructure and Fiber Optics (AMP/Tyco, APC, Belden, Corning, Hubbell, Leviton, Ortronics, Panduit), Audio, Computer, and Video Cables, and much more!
  #9  
Old 06-13-2011, 12:38 PM
3dCart Newbie
 
Join Date: Oct 2010
Posts: 10
Exclamation McAfee did not accept Henry's explaination for me

Hello,

When I ran an on-demand scan for PCI compliance I was surprised to find my site no longer in compliance. I was even more disappointed to hear that 3dcart as aware of the issue (which has been present since the end of May); however has not notified it's users.

In my request to McAfee to list this as a false-postive, I included Henry's explaination and this was there response...


Thank you for contacting McAfee Secure Support.

We understand that the FTP server is used only for transferring files used by your customers and there is NO sensitive data transmission.

However, the vulnerability is NOT related to files stored on the server. The FTP server may or may not have sensitive data.

'FTP Supports Clear Text Authentication' vulnerability is related to FTP service which does not use any encryption mechanism in its data transmission and is NOT related to a specific file.

'FTP supports clear text authentication' vulnerability is considered as critical according to PCI council. PCI compliance states that no unencrypted protocols can be used. Further, transfer of authentication credentials over an unsecured channel is not allowed and as an ASV we have to abide by PCI regulation.

The reason behind this is, it is very easy to intercept and read the clear text FTP Username and Password by sniffing. Having this information, anyone can upload, modify, delete, or abuse a website, database, etc. Many hosting companies still use FTP for their clients. The PCI Council is downgrading this practice, and mandates more secure channels to be used.

On 31 May 2011 the CVSS2 score for FTP Server Clear Text Authentication was raised to 7.5. This is now 'Critical'. McAfee does not rate or rank PCI vulnerabilities. The PCI Council using the industry standard CVSS2 rates and ranks all vulnerabilities as they pertain to PCI.

You can fix this vulnerability by switching to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server such that control connections are encrypted.

Alternately, you may use a firewall to restrict FTP access allow access only from specific IPs to access FTP server.

Please feel free to contact us if you have any additional questions.


I am not really sure what the next step is... have 3dcart contact McAfee? Wait for a 3dcart solution?


Mike
  #10  
Old 06-13-2011, 01:48 PM
3dCart User
 
Join Date: Nov 2009
Posts: 87
Default

Ouch! That hurts. Well, apparently we (3dcart store owners) are back to square one. I'll wait for an official 3dcart response again, but my feeling is that the days of this vulnerability being accepted as a false positive are over.

I can certainly see how this could be a problem though. What if a hacker were to sniff the username/password for the store, and then replace the store's pages with his own pages that requested confidential information? That would constitute a significant security breach.

I was told by 3dcart technical support that SFTP support was due in the next few months, but that's a long time...
__________________
www.stsi.com
Network Infrastructure and Fiber Optics (AMP/Tyco, APC, Belden, Corning, Hubbell, Leviton, Ortronics, Panduit), Audio, Computer, and Video Cables, and much more!
Closed Thread


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -5. The time now is 09:18 PM.

Powered by vBulletin® Version 3.6.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.1
Sales and Tech Support
Call Us: 1-800-828-6650
E-mail: support@3dcart.com
VeriSign Trust Seal
PCI Compliant
©2012 3dcart Shopping Carts. All Rights Reserved.