PCI Compliance Scan

[march08]

Hi,

 

We are trying to pass the Trustwave PCI Compliance scan for our site. The scan keeps failing with -

 

“Web Application Transmits Login Credentials Without Encryption”.

 

Searching through the website scripts we found some non SSL redirects and form actions to login.php (store and admin) which have been changed. As far as we can see, there is no non SSL login activity but still it still fails.

 

Apparently the failure can be disputed if -

1) Credentials never provide access to any card holder data.

2) Credentials never provide any administrative type of access.

3) Credentials never provide any system-level (OS) type of access.

 

The 1st item is OK but we cannot truthfully confirm the other points without knowing what the problem is. Can anyone please help.

 

As an aside, since making the admin login SSL, we now have to input the Id/password twice to login and we are unable to login on an iPad (htaccess is used as recommended).

 

Any help/clues would be very much appreciated.

[www.in.no]

@@march08

Do you get a specific list over the scripts that is accepting non SSL login?

 

What hosting are you on, VPS, dedicated server....?

 

If you have any server side applications running like phpmyadmin it will also fail the check.

[Jack_mcs]

@@march08 The error means secure pages can be reached without using ssl. In other words, both https://mysite.com/login.php and http://mysite.com/login.php will work. You have to add a redirect in the .htaccess file to prevent that. For logging in twice, it is because your configure file in admin is not setup correctly for ssl. You still have a non-ssl url in it.

[march08]

@@www.in.no

Thank you for your interest -

There was no indication of which scripts were causing the problem.

We are on shared hosting.

We believe the message suggested that it was a website script not a server issue.

 

 

@@Jack_mcs

Thank you for pointing us in the right direction, we assumed it was script problem and didn’t consider that it should cover typing http instead of https in the url. We have now got a clean scan and we have removed the changes we made to the admin side because it is probably not an issue. We are surprised there seems to be no evidence that anyone else has had the same problem?

 

We could probably now remove our other changes relating to executing login.php as non SSL, your suggestion should cover all.

 

Not being too familiar with htaccess statements and not wanting to risk tampering with it, we made a change to login.php which, though not too elegant, seems to have done the business -

 

$ToHTTPS=tep_href_link(FILENAME_LOGIN,'', 'SSL');

if (ENABLE_SSL && $request_type == 'NONSSL' && substr($ToHTTPS, 0, 5) == 'https') {

tep_redirect($ToHTTPS);

}

 

The last element of the condition is to stop it spinning forever should the script run with ENABLE_SSL set to ‘true’ and HTTPS_SERVER not set to https.

 

 

Many Thanks

[www.in.no]

@@march08

 

On shared hosting you wont get PCI compliance as there are to many requirements.

 

I use McAfee secure scan and i have closed most holes except phpmyadmin witch is set as alias server wide without ssl login.

McAfee gives the links it find in result so you know. I manage to get "McAfee SECURE" in their test, but not the PCI check.

[Jack_mcs]

@@march08

On shared hosting you wont get PCI compliance as there are to many requirements.

Then the host needs to be replaced. Our shared servers are PCI compliant and pass scans regularly.