How do I fix this Trustwave complaint on Phorum?
Posted by Ulf Dunkel
How do I fix this Trustwave complaint on Phorum? January 11, 2012 06:20AM |
Registered: 22 years ago Posts: 147 |
I run Phorum on some websites which are regularly scanned by Trustwave due to security reasons for credit card handling. Everytime the scan fails because of this issue:
Virtual Hosts: [www.calamus.net]
Session Cookie: phorum_admin_session
URL: /phorum/admin.php
Details:
Ruby on Rails Session Fixation Vulnerability
Severity: Medium
PCI Status: Fail
CVE: CVE-2007-5380, CVE-2007-6007
Description:
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
Remediation:
Upgrade to Ruby on Rails version 1.2.6 or newer and set 'config.action_controller.session_options[:cookie_only]' to 'true' in the 'config/environment.rb' file (if it is not already).
When I check my server for Ruby on Rails, it tells me this:
I wonder if this scan issue report is bullshit, or if I have to install rails at all?
Regards, Ulf Dunkel
Virtual Hosts: [www.calamus.net]
Session Cookie: phorum_admin_session
URL: /phorum/admin.php
Details:
Ruby on Rails Session Fixation Vulnerability
Severity: Medium
PCI Status: Fail
CVE: CVE-2007-5380, CVE-2007-6007
Description:
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
Remediation:
Upgrade to Ruby on Rails version 1.2.6 or newer and set 'config.action_controller.session_options[:cookie_only]' to 'true' in the 'config/environment.rb' file (if it is not already).
When I check my server for Ruby on Rails, it tells me this:
Quote
# ruby --version
ruby 1.9.2p290 (2011-07-09 revision 32553) [x86_64-linux]
# rails --version
The program 'rails' is currently not installed. You can install it by typing:
apt-get install rails
I wonder if this scan issue report is bullshit, or if I have to install rails at all?
Regards, Ulf Dunkel
Re: How do I fix this Trustwave complaint on Phorum? January 11, 2012 06:36AM |
Admin Registered: 21 years ago Posts: 9,240 |
Re: How do I fix this Trustwave complaint on Phorum? January 11, 2012 06:47AM |
Registered: 22 years ago Posts: 147 |
Re: How do I fix this Trustwave complaint on Phorum? January 18, 2012 03:00AM |
Registered: 22 years ago Posts: 147 |
For anybody who might want to know how this dispute proceeded: This is what Trustwave replied to my dispute:
I answered this:
Now they have finally accepted this as being "false positive", with their answer as follows:
Hallelujah!
Regards, Ulf Dunkel
Quote
Trustwave
Clarification Needed
Thanks for the previously supplied information.
So just to confirm here, Ruby on Rails is not installed on this system, is that understanding correct?
This seems to be the case, but we are seeking explicit information.
Please let us know within a re-dispute of this finding.
I answered this:
Quote
Ruby On Rails is not installed on my server
Thank you for your info "Clarification needed". As I stated in my first information, I have checked my server for the current versions for both Ruby and "Ruby on Rails". The console told me what I have already quoted:
When I check my server for Ruby on Rails, it tells me this:
# ruby --version
ruby 1.9.2p290 (2011-07-09 revision 32553) [x86_64-linux]
# rails --version
The program 'rails' is currently not installed. You can install it by typing:
apt-get install rails
My ISP has confirmed that they did not install Ruby by Rails by default on my Ubuntu server and I didn't install it either. Is there any other method how I could give you a proof that Ruby on Rails is NOT installed?
Please reply ASAP because I would really like to get this whole thing finally done and approved. Thank you in advance.
Now they have finally accepted this as being "false positive", with their answer as follows:
Quote
Trustwave
Dispute Confirmed
We have accepted this dispute based on the information provided indicating that your organization can confirm that Ruby on Rails is not installed on this system.
Hallelujah!
Regards, Ulf Dunkel
Sorry, only registered users may post in this forum.