Firefox PHP

How do I fix this Trustwave complaint on Phorum?

Posted by Ulf Dunkel 
How do I fix this Trustwave complaint on Phorum?
January 11, 2012 06:20AM
I run Phorum on some websites which are regularly scanned by Trustwave due to security reasons for credit card handling. Everytime the scan fails because of this issue:

Virtual Hosts: [www.calamus.net]
Session Cookie: phorum_admin_session
URL: /phorum/admin.php

Details:
Ruby on Rails Session Fixation Vulnerability

Severity: Medium
PCI Status: Fail
CVE: CVE-2007-5380, CVE-2007-6007

Description:
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."

Remediation:
Upgrade to Ruby on Rails version 1.2.6 or newer and set 'config.action_controller.session_options[:cookie_only]' to 'true' in the 'config/environment.rb' file (if it is not already).


When I check my server for Ruby on Rails, it tells me this:
Quote

# ruby --version
ruby 1.9.2p290 (2011-07-09 revision 32553) [x86_64-linux]
# rails --version
The program 'rails' is currently not installed. You can install it by typing:
apt-get install rails


I wonder if this scan issue report is bullshit, or if I have to install rails at all?

Regards, Ulf Dunkel
Re: How do I fix this Trustwave complaint on Phorum?
January 11, 2012 06:36AM
Its bullshit simply because phorum doesn't have anything to do with Rails. I'd say its a false positive ;-).


Thomas Seifert
Re: How do I fix this Trustwave complaint on Phorum?
January 11, 2012 06:47AM
This is what I have suggested. Let's see how they're reacting. (The same is true for MANTIS, by the way.)

Regards, Ulf Dunkel
Re: How do I fix this Trustwave complaint on Phorum?
January 18, 2012 03:00AM
For anybody who might want to know how this dispute proceeded: This is what Trustwave replied to my dispute:

Quote
Trustwave
Clarification Needed

Thanks for the previously supplied information.
So just to confirm here, Ruby on Rails is not installed on this system, is that understanding correct?
This seems to be the case, but we are seeking explicit information.
Please let us know within a re-dispute of this finding.


I answered this:
Quote

Ruby On Rails is not installed on my server

Thank you for your info "Clarification needed". As I stated in my first information, I have checked my server for the current versions for both Ruby and "Ruby on Rails". The console told me what I have already quoted:

When I check my server for Ruby on Rails, it tells me this:

# ruby --version
ruby 1.9.2p290 (2011-07-09 revision 32553) [x86_64-linux]
# rails --version
The program 'rails' is currently not installed. You can install it by typing:
apt-get install rails

My ISP has confirmed that they did not install Ruby by Rails by default on my Ubuntu server and I didn't install it either. Is there any other method how I could give you a proof that Ruby on Rails is NOT installed?

Please reply ASAP because I would really like to get this whole thing finally done and approved. Thank you in advance.

Now they have finally accepted this as being "false positive", with their answer as follows:

Quote
Trustwave
Dispute Confirmed

We have accepted this dispute based on the information provided indicating that your organization can confirm that Ruby on Rails is not installed on this system.

Hallelujah!

Regards, Ulf Dunkel
Sorry, only registered users may post in this forum.

Click here to login