3 replies to this topic

[rocaholic]

Hi everyone, I'm using a quarterly PCI compliance scan by securitymetrics(dot)com


I have to risks rated as 5, but they have the same error.

"Synopsis : The remote web server contains a PHP script that is prone to an information disclosure attack. Description : Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed php and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation. Solution: Remove the affected file(s). Risk Factor: Medium"

I found a file named phpinfo.php in my public_html folder and it's contact is only:

<?php phpinfo(); ?>

Is it safe to delete this so I can pass my scan?

And another thing, I hired a few freelancers to help me set up the site as I know nothing about programming. I understand that PCI compliance is a rough area but wanted to see your input on how customers process my orders.

I use inmotionhosting business hosting. My site uses GoDaddy SSL and for my payments, I use the Authorize.net AIM module, I believe. Customers add items, checkout, fill out all the CC information on my site. Money has been going into my bank account. I was wondering if this is safe because I don't see full credit card numbers, except the last 4 (XXXXXXXXXXXX1111) and the expiration date, and I think the billing address as well.

Thank you!!!

[Jack_mcs]

Yes to both questions.

[MrPhil]

That "phpinfo.php" file was not put there by osCommerce. Either you had a developer/installer (your "freelancer") who was very sloppy about security and failed to name it something obscure and remove it when done, or a hacker left it there. Possibly your freelancer deliberately left it in there as a future hack enabler. Any way is not good, and it should be removed (or at least, the name changed to something unguessable).

What does this have to do with E-commerce Laws? It belongs in Security under the appropriate product.

[rocaholic]

Quote

What does this have to do with E-commerce Laws? It belongs in Security under the appropriate product.

"Is it safe to delete this so I can pass my scan?

And another thing, I hired a few freelancers to help me set up the site as I know nothing about programming. I understand that PCI compliance is a rough area but wanted to see your input on how customers process my orders.

I use inmotionhosting business hosting. My site uses GoDaddy SSL and for my payments, I use the Authorize.net AIM module, I believe. Customers add items, checkout, fill out all the CC information on my site. Money has been going into my bank account. I was wondering if this is safe because I don't see full credit card numbers, except the last 4 (XXXXXXXXXXXX1111) and the expiration date, and I think the billing address as well.

Thank you!!! "

Because I was wondering if this is "PCI-DSS" compliant. Thank you both for your responses.

Edited by rocaholic, 19 April 2011, 16:35.