https://community.plus.net/t5/Broadband/PCI-Compliance-problems-Same-site-scripting-due-to-quot/m-p/1880577#M349348 <P>We've had to run "PCI compliance" scans for a number of years, to support taking credit card payments.&nbsp; We're using Plusnet as the business broadband ISP and have a setup which is working well.&nbsp; These scans have not been an issue for us, until recently.&nbsp; I'm posting this here - to see if anyone else has encountered the same failure (also - as suggested by PN support).&nbsp; &nbsp;&nbsp;</P><P>&nbsp;</P><P>The PCI scan report s<SPAN>tates that the issue is:</SPAN><BR /><BR /><SPAN>&gt;url: http://<EM><STRONG>USERNAME</STRONG></EM>.plus.com/</SPAN><BR /><SPAN>&gt;matched: Same site scripting detected</SPAN><BR /><SPAN>&gt;Host: localhost.plus.com IP: 127.0.0.1</SPAN><BR /><BR /><SPAN>This failure is raised when we scanned any other Plusnet internet connection IP address (e.g. those ending in *.plus.com).</SPAN></P><P>&nbsp;</P><P>Here's what the PCI report says:</P><P><SPAN><STRONG>Threat</STRONG>:</SPAN><BR /><SPAN>Most of the DNS servers include records of the form localhost. IN A 127.0.0.1 But if by mistake, the administrator misses the trailing dot, the record is not fully qualified. So if the domain is example.com, the queries for localhost.example.com would resolve to 127.0.0.1. Reference: <A href="https://seclists.org/bugtraq/2008/Jan/270" target="_blank">https://seclists.org/bugtraq/2008/Jan/270</A></SPAN><BR /><SPAN>Impact:</SPAN><BR /><SPAN>The websites in affected domain cannot be securely accessed on multi-user system. The attacker can trick another user on the same system to access websites on affected domain in such a manner as to result in cross site scripting leaking cookies.</SPAN></P><P><STRONG>Impact:</STRONG></P><P>The websites in affected domain cannot be securely accessed on multi-user system. The attacker can trick another user on the same system to access websites on affected domain in such a manner as to result in cross site scripting leaking cookies.</P><P><SPAN><STRONG>Solution</STRONG>:</SPAN><BR /><SPAN>Non fully qualified localhost entries should not be present in the nameserver for domains that host websites with HTTP state management (cookies).</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Here's our DNS checks (using Google DNS) - we get the same with any DNS provider:&nbsp; Plusnet resolves - but many other providers (e.g. bt.com) don't.</P><P><FONT face="courier new,courier">nslookup</FONT><BR /><FONT face="courier new,courier">&gt; server 8.8.8.8</FONT><BR /><FONT face="courier new,courier">Default Server: dns.google</FONT><BR /><FONT face="courier new,courier">Address: 8.8.8.8</FONT></P><P><FONT face="courier new,courier">&gt; localhost.plus.com</FONT><BR /><FONT face="courier new,courier">Server: dns.google</FONT><BR /><FONT face="courier new,courier">Address: 8.8.8.8</FONT></P><P><FONT face="courier new,courier">Non-authoritative answer:</FONT><BR /><FONT face="courier new,courier">Name: localhost.plus.com</FONT><BR /><FONT face="courier new,courier">Address: 127.0.0.1</FONT></P><P><FONT face="courier new,courier">&gt; localhost.bt.com</FONT><BR /><FONT face="courier new,courier">Server: dns.google</FONT><BR /><FONT face="courier new,courier">Address: 8.8.8.8</FONT></P><P>&nbsp;</P><P>So - this isn't some "local" configuration issue and I've run out of ideas for how to resolve this.&nbsp; As per the guidence - it seems there needs to be a change to make "plus.com" DNS entries behave correctly.&nbsp; &nbsp;Other major ISP's DNS do not resolve "localhost.isp.com", so why does PN ?<img class="lia-deferred-image lia-image-emoji" src="https://community.plus.net/html/@3681646702FDFD32BCA97E2E5F1BDDD5/images/emoticons/huh.gif" alt="Huh" title="Huh" /></P><P>&nbsp;</P><P>I've had a Plusnet support case open for months - and been told today that <EM>"We don't know how to fix that"</EM>.&nbsp; When I asked if they could escolate it within the company we were told <EM>"I don't know who to escolate it to"</EM>.&nbsp; I was finally met with <EM>"We aren't responsible for PCI compliance, so we're not going to do anything".</EM>&nbsp; The support case handler - also said <EM>"We have't had any other reports of this - so we're not going to address it"</EM>.</P><P>&nbsp;</P><P>So - I'm at a loss as to how to resolve this; with&nbsp; no other answer, we'll have to move ISP.&nbsp; Also - a little dissapointed in the least with the disregard given to potentional security issues in the PN platform.</P><P>&nbsp;</P><P>Anyone have any other ideas / observed the same sort if issue ?<img class="lia-deferred-image lia-image-emoji" src="https://community.plus.net/html/@3681646702FDFD32BCA97E2E5F1BDDD5/images/emoticons/huh.gif" alt="Huh" title="Huh" /></P><P>&nbsp;</P> Wed, 27 Jul 2022 11:09:58 GMT kquigley 2022-07-27T11:09:58Z https://community.plus.net/t5/Broadband/PCI-Compliance-problems-Same-site-scripting-due-to-quot/m-p/1880577#M349348 <P>We've had to run "PCI compliance" scans for a number of years, to support taking credit card payments.&nbsp; We're using Plusnet as the business broadband ISP and have a setup which is working well.&nbsp; These scans have not been an issue for us, until recently.&nbsp; I'm posting this here - to see if anyone else has encountered the same failure (also - as suggested by PN support).&nbsp; &nbsp;&nbsp;</P><P>&nbsp;</P><P>The PCI scan report s<SPAN>tates that the issue is:</SPAN><BR /><BR /><SPAN>&gt;url: http://<EM><STRONG>USERNAME</STRONG></EM>.plus.com/</SPAN><BR /><SPAN>&gt;matched: Same site scripting detected</SPAN><BR /><SPAN>&gt;Host: localhost.plus.com IP: 127.0.0.1</SPAN><BR /><BR /><SPAN>This failure is raised when we scanned any other Plusnet internet connection IP address (e.g. those ending in *.plus.com).</SPAN></P><P>&nbsp;</P><P>Here's what the PCI report says:</P><P><SPAN><STRONG>Threat</STRONG>:</SPAN><BR /><SPAN>Most of the DNS servers include records of the form localhost. IN A 127.0.0.1 But if by mistake, the administrator misses the trailing dot, the record is not fully qualified. So if the domain is example.com, the queries for localhost.example.com would resolve to 127.0.0.1. Reference: <A href="https://seclists.org/bugtraq/2008/Jan/270" target="_blank">https://seclists.org/bugtraq/2008/Jan/270</A></SPAN><BR /><SPAN>Impact:</SPAN><BR /><SPAN>The websites in affected domain cannot be securely accessed on multi-user system. The attacker can trick another user on the same system to access websites on affected domain in such a manner as to result in cross site scripting leaking cookies.</SPAN></P><P><STRONG>Impact:</STRONG></P><P>The websites in affected domain cannot be securely accessed on multi-user system. The attacker can trick another user on the same system to access websites on affected domain in such a manner as to result in cross site scripting leaking cookies.</P><P><SPAN><STRONG>Solution</STRONG>:</SPAN><BR /><SPAN>Non fully qualified localhost entries should not be present in the nameserver for domains that host websites with HTTP state management (cookies).</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Here's our DNS checks (using Google DNS) - we get the same with any DNS provider:&nbsp; Plusnet resolves - but many other providers (e.g. bt.com) don't.</P><P><FONT face="courier new,courier">nslookup</FONT><BR /><FONT face="courier new,courier">&gt; server 8.8.8.8</FONT><BR /><FONT face="courier new,courier">Default Server: dns.google</FONT><BR /><FONT face="courier new,courier">Address: 8.8.8.8</FONT></P><P><FONT face="courier new,courier">&gt; localhost.plus.com</FONT><BR /><FONT face="courier new,courier">Server: dns.google</FONT><BR /><FONT face="courier new,courier">Address: 8.8.8.8</FONT></P><P><FONT face="courier new,courier">Non-authoritative answer:</FONT><BR /><FONT face="courier new,courier">Name: localhost.plus.com</FONT><BR /><FONT face="courier new,courier">Address: 127.0.0.1</FONT></P><P><FONT face="courier new,courier">&gt; localhost.bt.com</FONT><BR /><FONT face="courier new,courier">Server: dns.google</FONT><BR /><FONT face="courier new,courier">Address: 8.8.8.8</FONT></P><P>&nbsp;</P><P>So - this isn't some "local" configuration issue and I've run out of ideas for how to resolve this.&nbsp; As per the guidence - it seems there needs to be a change to make "plus.com" DNS entries behave correctly.&nbsp; &nbsp;Other major ISP's DNS do not resolve "localhost.isp.com", so why does PN ?<img class="lia-deferred-image lia-image-emoji" src="https://community.plus.net/html/@3681646702FDFD32BCA97E2E5F1BDDD5/images/emoticons/huh.gif" alt="Huh" title="Huh" /></P><P>&nbsp;</P><P>I've had a Plusnet support case open for months - and been told today that <EM>"We don't know how to fix that"</EM>.&nbsp; When I asked if they could escolate it within the company we were told <EM>"I don't know who to escolate it to"</EM>.&nbsp; I was finally met with <EM>"We aren't responsible for PCI compliance, so we're not going to do anything".</EM>&nbsp; The support case handler - also said <EM>"We have't had any other reports of this - so we're not going to address it"</EM>.</P><P>&nbsp;</P><P>So - I'm at a loss as to how to resolve this; with&nbsp; no other answer, we'll have to move ISP.&nbsp; Also - a little dissapointed in the least with the disregard given to potentional security issues in the PN platform.</P><P>&nbsp;</P><P>Anyone have any other ideas / observed the same sort if issue ?<img class="lia-deferred-image lia-image-emoji" src="https://community.plus.net/html/@3681646702FDFD32BCA97E2E5F1BDDD5/images/emoticons/huh.gif" alt="Huh" title="Huh" /></P><P>&nbsp;</P> Wed, 27 Jul 2022 11:09:58 GMT https://community.plus.net/t5/Broadband/PCI-Compliance-problems-Same-site-scripting-due-to-quot/m-p/1880577#M349348 kquigley 2022-07-27T11:09:58Z https://community.plus.net/t5/Broadband/PCI-Compliance-problems-Same-site-scripting-due-to-quot/m-p/1880626#M349352 <BLOCKQUOTE><HR /><a href="https://community.plus.net/t5/user/viewprofilepage/user-id/113634">@kquigley</a>&nbsp;wrote:<BR /> <P>I was finally met with <EM>"We aren't responsible for PCI compliance, so we're not going to do anything".</EM></P> <HR /></BLOCKQUOTE> <P>If an ISP can't provide a PCI compliant connection then they can't really claim to be a business ISP.</P> <P>We take credit card payments, but we use Zettle (part of PayPal) who use a secure VPN system that means the connection is secure regardless of ISP (it actually connects via an Android or iOS0 app so works over WiFi or 4G). Other similar card processing companies are available.</P> <P>Alternatively, there are business oriented ISPs that do provide PCI compliant connections (we no longer use Plusnet so we've solved the problem both ways).</P> Wed, 27 Jul 2022 16:17:57 GMT https://community.plus.net/t5/Broadband/PCI-Compliance-problems-Same-site-scripting-due-to-quot/m-p/1880626#M349352 corringham 2022-07-27T16:17:57Z https://community.plus.net/t5/Broadband/PCI-Compliance-problems-Same-site-scripting-due-to-quot/m-p/1880632#M349353 <P>Some of these PCI scanning companies seem to be an ever evolving target. I know that's somewhat nature of the beast, however it doesn't explain why I've see scans fail in the past and then miraculously pass on subsequent attempts, despite targeting the exact same customer setup.</P> <P>Anyway, I digress. I can think of no useful reason why we're doing this, so I've logged it for somebody better versed than me to take a look (for my own benefit - ref: IS-3843).</P> Wed, 27 Jul 2022 16:48:39 GMT https://community.plus.net/t5/Broadband/PCI-Compliance-problems-Same-site-scripting-due-to-quot/m-p/1880632#M349353 bobpullen 2022-07-27T16:48:39Z