Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Customer Login Not Encripted


Mort-lemur

Recommended Posts

Hi,

 

I have recently run the Free Mcafee PCI Scan of my site, and thanks to everyone who has developed fixes for security issues I have only failed the scan on a couple of items, one of which was in my hosting with allowing anonomous FTPs and another was with allowing indexing in my hosting. Both of these are now sorted.

 

I am just left with one item regarding the transmission of the customers login data. The McAfee report says :

 

Unencrypted Login Information Disclosure

 

The remote host appears to allow logins over unencrypted (HTTP) connections. This means that a user's login information is sent over the internet in clear text. An attacker may be able to uncover login names and passwords by sniffing network traffic.

 

General Solution

Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing login information to the web server, use HTTPS (SSLv3, TLS 1) instead of HTTP.

 

I Have a private SSL Cert set up, and all of my site is in HTTPS )apart from the first landing on index.php which is HTTP.

 

So how can I ensure that the data is encripted as it is sent?

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Hi,

 

I have recently run the Free Mcafee PCI Scan of my site, and thanks to everyone who has developed fixes for security issues I have only failed the scan on a couple of items, one of which was in my hosting with allowing anonomous FTPs and another was with allowing indexing in my hosting. Both of these are now sorted.

 

I am just left with one item regarding the transmission of the customers login data. The McAfee report says :

 

 

 

 

 

I Have a private SSL Cert set up, and all of my site is in HTTPS )apart from the first landing on index.php which is HTTP.

 

So how can I ensure that the data is encripted as it is sent?

 

Thanks

 

I ended up using this code in the htaccess file

RewriteRule ^login.php https://www.yourdomain.com/login.php [R=301,L]

that way the login page was always durected to a secure login, that I think sorted the problem although sometimes alerts appear and dissappear without anything being done.

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

First be sure the login is using HTTPS.

 

If not, fix the link so it does.

 

Then at the top of /catalog/login.php make the code look like this:

 

  require('includes/application_top.php');

/* ------ beginning of added code to force HTTPS login ------ */

 if ( $request_type != 'SSL' ) {
   header('Location: ' . HTTPS_SERVER . DIR_WS_CATALOG . basename($PHP_SELF));
 }

/* ------ end of added code to force HTTPS login ------ */

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi Jim (Germ),

 

I have added the code you suggest to my Login.php and all my config files point to HTTPS but what do you mean when you say

First be sure the login is using HTTPS.
.

 

The customer lands on a Http page (index.php), then whenever he moves away or refreshes the page he goes to HTTPS.

 

I am still getting the PCI Scan failure over this.

 

I also tried "johnnybebad's" htaccess line, however this gave me continious loop problems in Firefox and IE when trying to log in.

 

Many Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Hi Jim (Germ),

 

I have added the code you suggest to my Login.php and all my config files point to HTTPS but what do you mean when you say .

 

The customer lands on a Http page (index.php), then whenever he moves away or refreshes the page he goes to HTTPS.

 

I am still getting the PCI Scan failure over this.

 

I also tried "johnnybebad's" htaccess line, however this gave me continious loop problems in Firefox and IE when trying to log in.

 

Many Thanks

All that the code I posted will do is ensure the login is using HTTPS

 

What can happen is when people click the login link on your site they can then manually change the addreess in the browser address bar to HTTP.

 

I really can't see what there is about this that can make you fail a PCI scan. >_<

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi Jim,

 

This is the full pci report regarding this failure, which they class as High Risk.

 

Severity Name Port Category

Unencrypted Login Information Disclosure 80/tcp Web Application

Description

The remote host appears to allow logins over unencrypted (HTTP) connections. This means that a user's login information is sent over the

internet in clear text. An attacker may be able to uncover login names and passwords by sniffing network traffic.

CVSS Score

6.4

CVSS Fingerprint

AV:N/AC:L/Au:N/C:P/I:P/A:N

Solution

Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing login information to the web

server, use HTTPS (SSLv3, TLS 1) instead of HTTP.

Details

Protocol http Port 80 Read Timeout 10000 Method POST Demo

Path /mailman/admin/mailman

Headers Referer=http%3A%2F%2Fwww.mysite.co.uk%2Fmailman%2Fadmin%2Fmailman

Content-Type=application%2Fx-www-form-urlencoded

Body adminpw=p455w0rd

admlogin=Let me in...

Insecure Form

Links

Information on ARP poisoning

Information on man-in-the-middle attacks

Example software used to audit man-in-the-middle vulnerabilities

References

None

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

add this code at the start of your htaccess file in the root.

 

 

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

 

That will re-direct ALL traffic going to http to https

 

PS you must ensure your store is fully configured to use ssl throughout if you use that.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Thanks Sam,

 

I have added the code and will now try another scan.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Thanks Sam,

 

I have added the code and will now try another scan.

 

Thanks

I must be stupid, 'cuz I still don't see what's wrong with doing it my way.

 

My way won't let you login "unencrypted".

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Having the whole of your site (except index.php) on https is not correct, and is not the way to complete PCI compliance.

 

Only those pages that need to be on https should be on https (which I know is an obvious statement, but there we are).

Link to comment
Share on other sites

What he just said...

:rolleyes:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Having the whole of your site (except index.php) on https is not correct, and is not the way to complete PCI compliance.

 

Only those pages that need to be on https should be on https (which I know is an obvious statement, but there we are).

 

Im not doubting you - but why is that ?

 

I think the problem was with the customer landing on the http index page then logging in using the login box.

 

I now have BOTH bits of code - Jim's and SAMs.

 

My whole site runs on https - can you tell me why that is wrong ?

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

You certainly do not want to use that htaccess code that redirects everything from http to https.

 

Anyway, many reasons. For me, the most important is that Google does not rank https pages.

 

You only need https for pages that convey private customer information from one place to another. Eg: create_account, the checkout bits, login, logout, tell-friend, and so on. Product pages and categories should certainly not be https.

 

If the problem is with the login box that is contained in each page, then remove the login box. Have a login text or image that links to the login page at https.

Link to comment
Share on other sites

Thanks,

 

Found where the problem lies....

 

Its not with my site, but with the Mailman function of the host Cpanel (mailing lists) they have it configured as HTTP not HTTPS so the pci scan is picking up on this.

 

Unfortunately as it is above my web-space on a shared host, I cannot bypass using htaccess - unless someone knows a way that I can??

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

For anyone else having this issue with Mailman and PCI scans. I have managed to get McAfee to accept this as a resolved issue by giving the following explanation:

 

The Vulnerability http://www.MYSITE.co.uk/mailman/admin/mailman in my case is a fales positive. This is a feature of Cpanel that I cannot route to HTTPS via htaccess. Mailman is for publically accessable mailing lists. I do not use this fearture on my site nor do I have any intention of ever using it. If a potential hacker managed to access mailman, there is no customer data stored there, by way of any email addresses or passwords

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

For anyone else having this issue with Mailman and PCI scans. I have managed to get McAfee to accept this as a resolved issue by giving the following explanation:

 

 

 

Thanks

I'm wondering why you could not put a redirect in your root .htaccess to direct http://your_site/mailman/.* to an error page.

 

The PCI Scan report claims the mailman vulnerability exists at http://www.mysite.co.uk/mailman/admin/mailman which suggests to me that there is a server wide alias for the directory 'mailman.' A simple redirect could stop it dead, I think, so an explanation would not be necessary.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

 

Anyway, many reasons. For me, the most important is that Google does not rank https pages.

 

 

 

I`m sorry, I have to disagree, in part anyway, I`ve seen many sites that use just https pages and they have no trouble gaining rank, if the site operator want to go that way as they feel their customers are happier, thats their perogative.

 

If you make that choice that code is useful to ensure your site is consistant.

 

The disadvantage of running a site fully from the secure server is the connection will be slower and problems if there are ever any issues with the site certificate.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hi,

 

No I could not put in a htaccess redirect - as the mailman was server wide.

 

However my host has now directed any requests to mailman to a 404 page - so that suits me fine.

 

It is something to watch for though on shared servers with cpanel.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Hi,

 

No I could not put in a htaccess redirect - as the mailman was server wide.

 

However my host has now directed any requests to mailman to a 404 page - so that suits me fine.

 

It is something to watch for though on shared servers with cpanel.

 

Thanks

 

 

PCI is fun, at the moment i am passing but it is a nightmare at times.

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

For anyone else having this issue with Mailman and PCI scans. I have managed to get McAfee to accept this as a resolved issue by giving the following explanation:

 

 

 

Thanks

I'm wondering why bother with the explanation in the first place. You are not doing this for 'real' PCI compliance, are you? Just a FYI, right?

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

I'm wondering why bother with the explanation in the first place. You are not doing this for 'real' PCI compliance, are you? Just a FYI, right?

 

Hi,

 

No not for "Real" as I will never be storing customer card data.

 

I just wanted to see if my site was secure enough to pass a PCI scan - and thanks to all the security help from the very helpful contributers to this forum, I have now been passed as PCI.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

  • 8 months later...

My problem is similar. When my security compliance company scans my site they pick out some pages that are secure like the login and create an account page. If you type in the URL with only http (ex. http://domain.com/shop/login.php) the page is not directed to https. How can I force these two pages to be https?

Link to comment
Share on other sites

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...