We had a similar issue come up back when we first switched over to 3dCart. We gave 3dC support our scanning login information as requested, they confirmed it was a False Positive and we forwarded this information over to our scanning company. They agreed it was a False Positive as well and our scans have been fine ever since.

We have had true false positives as well, but I really don't think this is a false positive. The PCI Compliance standards are pretty clear on this issue. Plain text authentication of ftp is a Level 4 (Critical) issue for PCI. Since that's exactly what 3dcart does, without offering SFTP as an option, I don't see how this can't be considered a true vulnerability.

Im having the same problem with Mcafee. so I need to open a ticket so that 3d cart can note it as a false negative?

According to 3dcart technical support, you need to open a ticket so that they can help you report this as a false positive to McAfee. According to ME, 3dcart needs to fix this vulnerability, since it is NOT a false positive, and prevents any 3dcart store from being PCI compliant.

Hi Craig60

PCI compliance standards dictate that systems used for processing, storing and transmitting credit card data must be contained in a secured network environment.

Access to the source ASP files which control the store’s functionality - including payment gateway integration and data handling - are completely off limits. This is why downloading an ASP file from your root folder will error out. They’re simply off limits. Furthermore, as part of our compliance with PCI standards, the credit card information itself is NEVER actually stored by the store’s source coding. We merely pass the information to the gateways and their respective modules (when applicable) for processing.

With that being said, the FTP access you are granted with 3dcart is strictly for the uploading and maintenance of site design files. The only files that can be accessed, retrieved and edited via FTP are basically images, theme templates, CSS and various javascript files that control the look and feel of your site. These types of files fall outside of the realm of PCI compliance standards. Therefore, it is not necessary to have the FTP credentials transmitted in Secure FTP; simply because the actual source code is protected at the server level.

Unfortunately, the standard PCI scans available with services such as McAfee don’t generally delve into the FTP access this deeply. They merely see that the credentials are transmitted in cleartext and return with the notification that the server is not compliant. However, if the scan were to somehow try to actually ACCESS the source code, it would be unable to. This is why we generally refer to these notices as “false positives.”

When we receive a ticket in regards to these scans, we generally run a scan on your behalf with your McAfee credentials. We then reach out to McAfee, explain the situation to them so they review the data themselves and they will then mark the result as a false positive. You can also do this yourself, but to save time we usually do it for you as a courtesy since we are in a better position to provide McAfee with any server information they might need to confirm their findings.

If the concern is with providing us with your McAfee login credentials, then might I suggest creating a different profile on your McAfee account JUST for 3dcart technical support (if possible)? Or perhaps temporarily change your McAfee login just for our use. This way, we can still run the scan on your behalf, inform McAfee of the situation and correct this for you. Then, after all is said and done, you can simply remove the second profile or reset your password without ever having to divulge your original login information. I fully understand your reluctance to provide login credentials, but I assure you we only ask for them in order to intervene on your behalf as a courtesy.

Again, you can likely reach out to McAfee personally and have them clear this up for you. However, if you run into any issues with them, we can still go the Support Ticket route. If necessary, McAfee can review our PCI credentials at the following link.

VISA PCI Compliant Shopping Cart | About 3DCart Shopping Cart Software

Henry,

Thank you very much for the extremely detailed explanation. Based on this information, it appears to me that even though this vulnerability exists, it is OUT OF SCOPE for PCI Compliance. (As opposed to being a true false positive.) I was concerned that technical support appeared to be trying to cover this up, rather than dealing with the actual vulnerability. Your explanation seems to acknowledge the vulnerability, but places it outside the scope of PCI compliance. And that is a satisfactory answer for me. (I hope it's acceptable to McAfee.) I have passed this information on to McAfee, and I will report back on the results.

Thanks again for taking the time to respond.

Well, McAfee did indeed accept Henry's explanation regarding this issue. (And they marked this as a false positive, just as Henry said they should.) Once again, I want to thank Henry for the detailed explanation as to why this vulnerability is outside the scope of PCI. That helped a lot!

If anyone else has this problem, I suggest they cut and paste the information that Henry gave me, and pass it on to McAfee.

McAfee did not accept Henry's explaination for me

Hello,

When I ran an on-demand scan for PCI compliance I was surprised to find my site no longer in compliance. I was even more disappointed to hear that 3dcart as aware of the issue (which has been present since the end of May); however has not notified it's users.

In my request to McAfee to list this as a false-postive, I included Henry's explaination and this was there response...


Thank you for contacting McAfee Secure Support.

We understand that the FTP server is used only for transferring files used by your customers and there is NO sensitive data transmission.

However, the vulnerability is NOT related to files stored on the server. The FTP server may or may not have sensitive data.

'FTP Supports Clear Text Authentication' vulnerability is related to FTP service which does not use any encryption mechanism in its data transmission and is NOT related to a specific file.

'FTP supports clear text authentication' vulnerability is considered as critical according to PCI council. PCI compliance states that no unencrypted protocols can be used. Further, transfer of authentication credentials over an unsecured channel is not allowed and as an ASV we have to abide by PCI regulation.

The reason behind this is, it is very easy to intercept and read the clear text FTP Username and Password by sniffing. Having this information, anyone can upload, modify, delete, or abuse a website, database, etc. Many hosting companies still use FTP for their clients. The PCI Council is downgrading this practice, and mandates more secure channels to be used.

On 31 May 2011 the CVSS2 score for FTP Server Clear Text Authentication was raised to 7.5. This is now 'Critical'. McAfee does not rate or rank PCI vulnerabilities. The PCI Council using the industry standard CVSS2 rates and ranks all vulnerabilities as they pertain to PCI.

You can fix this vulnerability by switching to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server such that control connections are encrypted.

Alternately, you may use a firewall to restrict FTP access allow access only from specific IPs to access FTP server.

Please feel free to contact us if you have any additional questions.

I am not really sure what the next step is... have 3dcart contact McAfee? Wait for a 3dcart solution?


Mike

Ouch! That hurts. Well, apparently we (3dcart store owners) are back to square one. I'll wait for an official 3dcart response again, but my feeling is that the days of this vulnerability being accepted as a false positive are over.

I can certainly see how this could be a problem though. What if a hacker were to sniff the username/password for the store, and then replace the store's pages with his own pages that requested confidential information? That would constitute a significant security breach.

I was told by 3dcart technical support that SFTP support was due in the next few months, but that's a long time...

Hi Mike,

As Henry mentioned on his post, "Again, you can likely reach out to McAfee personally and have them clear this up for you. However, if you run into any issues with them, we can still go the Support Ticket route. If necessary, McAfee can review our PCI credentials at the following link." The next step is to contact 3dcart's Technical Support.

Jimmy

Temporary Solution

Just to update anyone else who may be reviewing this tread, I did contact 3DCART support regarding this matter:

We are currently looking into the possibility of implementing SFTP in the future. However, the easiest thing to do in this situation, since our system does not currently support SFTP, would be to simply disable it for your account. This would allow you to pass as the possible vulnerability would no longer be an issue.

If you do use FTP, we can look into possibly restricting access to your public facing IP address, which appears to have been one of McAfee's suggestions. Please advise.

For the time being I have decided to just disable FTP and will do my best to manage without it until there is a secure FTP method or other file manager method.


Mike

3dcart technical support also suggested to us that we disable ftp entirely. Unfortunately, that simply isn't an option for us, as we use it quite frequently. Perhaps 3dcart could add the ability to restrict ftp access to specific IP addresses or ranges, right from the store manager. That would certainly reduce the exposure, but it probably wouldn't change the actual PCI Compliance status. I do wish that my suggestion back in August of 2010 had been taken more seriously...

PCI Scan Passed

FYI: I did pass my PCI scan after FTP access was disabled. Not ideal, but PCI compliance has to be a priority.

We failed the McAfee PCI scan recently because of the FTP issue and after 3DCart requested McAfee to approve it as a false positive, McAfee denied the request saying recent changes do not allow this to be marked as false positive. 3DCart had to disable FTP, but allowed FTP access to only our IP address and that worked for McAfee.

NOW, our merchant account bank says they will not accept McAfee's PCI scan and we must use theirs (Control Scan). I ran the initial scan with Control Scan and it failed with (1) Level 5 risk, (3) Level 4 risks and numerous other risks.

I contacted 3DCart and am awaiting their response.