I've just done a routine scan of our Shopify site (http://www.culturelabel.com), but Qualy's PCI is reporting a firewall issue: TCP Source Port Pass Firewall. I'm fairly certain firewall settings aren't within the user's control (i.e. the site admin interface), so please could a system administrator check this attack vector?
Full report available here: http://www.alexstanhope.com/system/files/Shopify_PCI_scan_result_20150708.pdf
I'm not sure I would worry about this. Shopify takes very good measures to be PCI compliant as their entire business rests on this. Here is what they say about it: https://www.shopify.com/pci-compliant
Regarding the failed "TCP Source Port Pass Firewall" section, this might just be normal web traffic. The server that your site resides on needs to accept web traffic in order to interact with web users. Web traffic is sent over the http protocol on port 80 and the https protocol on port 443. Both of these protocols run on top of TCP (Transmission Control Protocol).
Thanks for your reply. While I'm happy not to worry about it, Qualy's worry about it. It constitutes a PCI fail and without a clean scan, my site is non-compliant. If my site is non-compliant, I can't get a certificate from Qualy's which eventually means I can't trade.
You're right that HTTP (80) and HTTPS (443) run on TCP, but that's not what's causing the error. Every TCP packet has a source port and a destination port. The 'TCP Source Port Pass Firewall' threat is exposed by a firewall that passes through requests it shouldn't. The report I attached to my previous post spells it out:
THREAT: Your firewall policy seems to let TCP packets with a specific source port pass through.
IMPACT: Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that unauthorized users can use to bypass your firewall.
SOLUTION: Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be configured to block all TCP SYN packets going to this port, regardless of the source port.
RESULT: The host responded 4 times to 4 TCP SYN probes sent to destination port 20 using source port 80. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.
I'm posting again here to encourage Shopify to review their firewall settings and address this specific vulnerability. As the security space is constantly evolving - new threats emerge on a daily basis - I imagine the Shopify ops team are constantly updating their infrastructure and I think that's what's required here.
After reading the report again the failed test says that it accesses the source port 20. Port 20 is normally used for FTP data transfer. I would contact support directly as posting here will not guarantee a response.
If appropriate, please post your findings back here.