Mort-lemur Posted March 24, 2010 Share Posted March 24, 2010 Hi, I have recently run the Free Mcafee PCI Scan of my site, and thanks to everyone who has developed fixes for security issues I have only failed the scan on a couple of items, one of which was in my hosting with allowing anonomous FTPs and another was with allowing indexing in my hosting. Both of these are now sorted. I am just left with one item regarding the transmission of the customers login data. The McAfee report says : Unencrypted Login Information Disclosure The remote host appears to allow logins over unencrypted (HTTP) connections. This means that a user's login information is sent over the internet in clear text. An attacker may be able to uncover login names and passwords by sniffing network traffic. General Solution Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing login information to the web server, use HTTPS (SSLv3, TLS 1) instead of HTTP. I Have a private SSL Cert set up, and all of my site is in HTTPS )apart from the first landing on index.php which is HTTP. So how can I ensure that the data is encripted as it is sent? Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
johnnybebad Posted March 24, 2010 Share Posted March 24, 2010 Hi, I have recently run the Free Mcafee PCI Scan of my site, and thanks to everyone who has developed fixes for security issues I have only failed the scan on a couple of items, one of which was in my hosting with allowing anonomous FTPs and another was with allowing indexing in my hosting. Both of these are now sorted. I am just left with one item regarding the transmission of the customers login data. The McAfee report says : I Have a private SSL Cert set up, and all of my site is in HTTPS )apart from the first landing on index.php which is HTTP. So how can I ensure that the data is encripted as it is sent? Thanks I ended up using this code in the htaccess file RewriteRule ^login.php https://www.yourdomain.com/login.php [R=301,L] that way the login page was always durected to a secure login, that I think sorted the problem although sometimes alerts appear and dissappear without anything being done. Getting better with mods but no programmer am I. Link to comment Share on other sites More sharing options...
germ Posted March 24, 2010 Share Posted March 24, 2010 First be sure the login is using HTTPS. If not, fix the link so it does. Then at the top of /catalog/login.php make the code look like this: require('includes/application_top.php'); /* ------ beginning of added code to force HTTPS login ------ */ if ( $request_type != 'SSL' ) { header('Location: ' . HTTPS_SERVER . DIR_WS_CATALOG . basename($PHP_SELF)); } /* ------ end of added code to force HTTPS login ------ */ If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Mort-lemur Posted March 29, 2010 Author Share Posted March 29, 2010 Hi Jim (Germ), I have added the code you suggest to my Login.php and all my config files point to HTTPS but what do you mean when you say First be sure the login is using HTTPS.. The customer lands on a Http page (index.php), then whenever he moves away or refreshes the page he goes to HTTPS. I am still getting the PCI Scan failure over this. I also tried "johnnybebad's" htaccess line, however this gave me continious loop problems in Firefox and IE when trying to log in. Many Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
germ Posted March 29, 2010 Share Posted March 29, 2010 Hi Jim (Germ), I have added the code you suggest to my Login.php and all my config files point to HTTPS but what do you mean when you say . The customer lands on a Http page (index.php), then whenever he moves away or refreshes the page he goes to HTTPS. I am still getting the PCI Scan failure over this. I also tried "johnnybebad's" htaccess line, however this gave me continious loop problems in Firefox and IE when trying to log in. Many Thanks All that the code I posted will do is ensure the login is using HTTPS What can happen is when people click the login link on your site they can then manually change the addreess in the browser address bar to HTTP. I really can't see what there is about this that can make you fail a PCI scan. >_< If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Mort-lemur Posted March 29, 2010 Author Share Posted March 29, 2010 Hi Jim, This is the full pci report regarding this failure, which they class as High Risk. Severity Name Port CategoryUnencrypted Login Information Disclosure 80/tcp Web Application Description The remote host appears to allow logins over unencrypted (HTTP) connections. This means that a user's login information is sent over the internet in clear text. An attacker may be able to uncover login names and passwords by sniffing network traffic. CVSS Score 6.4 CVSS Fingerprint AV:N/AC:L/Au:N/C:P/I:P/A:N Solution Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing login information to the web server, use HTTPS (SSLv3, TLS 1) instead of HTTP. Details Protocol http Port 80 Read Timeout 10000 Method POST Demo Path /mailman/admin/mailman Headers Referer=http%3A%2F%2Fwww.mysite.co.uk%2Fmailman%2Fadmin%2Fmailman Content-Type=application%2Fx-www-form-urlencoded Body adminpw=p455w0rd admlogin=Let me in... Insecure Form Links Information on ARP poisoning Information on man-in-the-middle attacks Example software used to audit man-in-the-middle vulnerabilities References None Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
spooks Posted March 29, 2010 Share Posted March 29, 2010 add this code at the start of your htaccess file in the root. RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} That will re-direct ALL traffic going to http to https PS you must ensure your store is fully configured to use ssl throughout if you use that. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Mort-lemur Posted March 29, 2010 Author Share Posted March 29, 2010 Thanks Sam, I have added the code and will now try another scan. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
germ Posted March 29, 2010 Share Posted March 29, 2010 Thanks Sam, I have added the code and will now try another scan. Thanks I must be stupid, 'cuz I still don't see what's wrong with doing it my way. My way won't let you login "unencrypted". If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
burt Posted March 29, 2010 Share Posted March 29, 2010 Having the whole of your site (except index.php) on https is not correct, and is not the way to complete PCI compliance. Only those pages that need to be on https should be on https (which I know is an obvious statement, but there we are). Link to comment Share on other sites More sharing options...
germ Posted March 29, 2010 Share Posted March 29, 2010 What he just said... :rolleyes: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Mort-lemur Posted March 29, 2010 Author Share Posted March 29, 2010 Having the whole of your site (except index.php) on https is not correct, and is not the way to complete PCI compliance. Only those pages that need to be on https should be on https (which I know is an obvious statement, but there we are). Im not doubting you - but why is that ? I think the problem was with the customer landing on the http index page then logging in using the login box. I now have BOTH bits of code - Jim's and SAMs. My whole site runs on https - can you tell me why that is wrong ? Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
burt Posted March 30, 2010 Share Posted March 30, 2010 You certainly do not want to use that htaccess code that redirects everything from http to https. Anyway, many reasons. For me, the most important is that Google does not rank https pages. You only need https for pages that convey private customer information from one place to another. Eg: create_account, the checkout bits, login, logout, tell-friend, and so on. Product pages and categories should certainly not be https. If the problem is with the login box that is contained in each page, then remove the login box. Have a login text or image that links to the login page at https. Link to comment Share on other sites More sharing options...
Mort-lemur Posted March 30, 2010 Author Share Posted March 30, 2010 Thanks, Found where the problem lies.... Its not with my site, but with the Mailman function of the host Cpanel (mailing lists) they have it configured as HTTP not HTTPS so the pci scan is picking up on this. Unfortunately as it is above my web-space on a shared host, I cannot bypass using htaccess - unless someone knows a way that I can?? Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Mort-lemur Posted March 31, 2010 Author Share Posted March 31, 2010 For anyone else having this issue with Mailman and PCI scans. I have managed to get McAfee to accept this as a resolved issue by giving the following explanation: The Vulnerability http://www.MYSITE.co.uk/mailman/admin/mailman in my case is a fales positive. This is a feature of Cpanel that I cannot route to HTTPS via htaccess. Mailman is for publically accessable mailing lists. I do not use this fearture on my site nor do I have any intention of ever using it. If a potential hacker managed to access mailman, there is no customer data stored there, by way of any email addresses or passwords Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted March 31, 2010 Share Posted March 31, 2010 For anyone else having this issue with Mailman and PCI scans. I have managed to get McAfee to accept this as a resolved issue by giving the following explanation: Thanks I'm wondering why you could not put a redirect in your root .htaccess to direct http://your_site/mailman/.* to an error page. The PCI Scan report claims the mailman vulnerability exists at http://www.mysite.co.uk/mailman/admin/mailman which suggests to me that there is a server wide alias for the directory 'mailman.' A simple redirect could stop it dead, I think, so an explanation would not be necessary. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
spooks Posted April 1, 2010 Share Posted April 1, 2010 Anyway, many reasons. For me, the most important is that Google does not rank https pages. I`m sorry, I have to disagree, in part anyway, I`ve seen many sites that use just https pages and they have no trouble gaining rank, if the site operator want to go that way as they feel their customers are happier, thats their perogative. If you make that choice that code is useful to ensure your site is consistant. The disadvantage of running a site fully from the secure server is the connection will be slower and problems if there are ever any issues with the site certificate. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Mort-lemur Posted April 1, 2010 Author Share Posted April 1, 2010 Hi, No I could not put in a htaccess redirect - as the mailman was server wide. However my host has now directed any requests to mailman to a 404 page - so that suits me fine. It is something to watch for though on shared servers with cpanel. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
johnnybebad Posted April 1, 2010 Share Posted April 1, 2010 Hi, No I could not put in a htaccess redirect - as the mailman was server wide. However my host has now directed any requests to mailman to a 404 page - so that suits me fine. It is something to watch for though on shared servers with cpanel. Thanks PCI is fun, at the moment i am passing but it is a nightmare at times. Getting better with mods but no programmer am I. Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted April 1, 2010 Share Posted April 1, 2010 For anyone else having this issue with Mailman and PCI scans. I have managed to get McAfee to accept this as a resolved issue by giving the following explanation: Thanks I'm wondering why bother with the explanation in the first place. You are not doing this for 'real' PCI compliance, are you? Just a FYI, right? Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
Mort-lemur Posted April 1, 2010 Author Share Posted April 1, 2010 I'm wondering why bother with the explanation in the first place. You are not doing this for 'real' PCI compliance, are you? Just a FYI, right? Hi, No not for "Real" as I will never be storing customer card data. I just wanted to see if my site was secure enough to pass a PCI scan - and thanks to all the security help from the very helpful contributers to this forum, I have now been passed as PCI. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
designcraft Posted December 13, 2010 Share Posted December 13, 2010 My problem is similar. When my security compliance company scans my site they pick out some pages that are secure like the login and create an account page. If you type in the URL with only http (ex. http://domain.com/shop/login.php) the page is not directed to https. How can I force these two pages to be https? Link to comment Share on other sites More sharing options...
germ Posted December 13, 2010 Share Posted December 13, 2010 Click me If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.