Qualys PCI vulnerability

Highlighted
Tourist
9 0 1

I've just done a routine scan of our Shopify site (http://www.culturelabel.com), but Qualy's PCI is reporting a firewall issue: TCP Source Port Pass Firewall.  I'm fairly certain firewall settings aren't within the user's control (i.e. the site admin interface), so please could a system administrator check this attack vector?

Full report available here: http://www.alexstanhope.com/system/files/Shopify_PCI_scan_result_20150708.pdf

@lightenna
0 Likes
Highlighted
Shopify Expert
195 0 25

Hi Alex,

I'm not sure I would worry about this. Shopify takes very good measures to be PCI compliant as their entire business rests on this. Here is what they say about it: https://www.shopify.com/pci-compliant

Regarding the failed "TCP Source Port Pass Firewall" section, this might just be normal web traffic. The server that your site resides on needs to accept web traffic in order to interact with web users. Web traffic is sent over the http protocol on port 80 and the https protocol on port 443. Both of these protocols run on  top of TCP (Transmission Control Protocol). 

-Ryan

Stop Stressing About Shopify You’ve Got Better Things To Do => https://320ny.com/shopify/
0 Likes
Highlighted
Tourist
9 0 1

Hi Ryan,

Thanks for your reply.  While I'm happy not to worry about it, Qualy's worry about it.  It constitutes a PCI fail and without a clean scan, my site is non-compliant.  If my site is non-compliant, I can't get a certificate from Qualy's which eventually means I can't trade.

You're right that HTTP (80) and HTTPS (443) run on TCP, but that's not what's causing the error.  Every TCP packet has a source port and a destination port.  The 'TCP Source Port Pass Firewall' threat is exposed by a firewall that passes through requests it shouldn't.  The report I attached to my previous post spells it out:

THREAT: Your firewall policy seems to let TCP packets with a specific source port pass through.

IMPACT: Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that unauthorized users can use to bypass your firewall.

SOLUTION: Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be configured to block all TCP SYN packets going to this port, regardless of the source port.

RESULT: The host responded 4 times to 4 TCP SYN probes sent to destination port 20 using source port 80. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.

I'm posting again here to encourage Shopify to review their firewall settings and address this specific vulnerability.  As the security space is constantly evolving - new threats emerge on a daily basis - I imagine the Shopify ops team are constantly updating their infrastructure and I think that's what's required here.

Cheers, Alex

@lightenna
0 Likes
Highlighted
Shopify Expert
195 0 25

Hi Alex,

After reading the report again the failed test says that it accesses the source port 20. Port 20 is normally used for FTP data transfer. I would contact support directly as posting here will not guarantee a response.

If appropriate, please post your findings back here. 

-Ryan

Stop Stressing About Shopify You’ve Got Better Things To Do => https://320ny.com/shopify/
0 Likes
Highlighted
Shopify Partner
2 0 0

https://hackerone.com/reports/77802  Guys whats this? :3

"onmouseover="confirm(document.domain);""
0 Likes
Highlighted
Shopify Partner
2 0 0

https://hackerone.com/reports/77802 guys whats this?

"onmouseover="confirm(document.domain);""
0 Likes
Highlighted
New Member
2 0 0

a guy copy paste from here to shopify bug/vul report page and got 1k$

https://hackerone.com/reports/77802

open this url and see :)

0 Likes
Highlighted
New Member
2 0 0

a guy copy the text from here and paste it to shopify bug page and got 1k$

https://hackerone.com/reports/77802

you guy you might report this to that page .

0 Likes