No announcement yet.

PCI compliance

  • Filter
  • Time
  • Show
Clear All
new posts

  • PCI compliance

    during a recent PCI compliance test, I noticed a warning which could be easily fixed

    Security warning found on port/service "http (80/tcp)"

    Plugin "Web Server Uses Plain Text Authentication Forms"
    Category "Web Servers"
    Priority Ranking "Medium Priority"

    Synopsis : The remote web server might transmit credentials over clear text Description : The remote web server contains several HTML forms containing an input of type 'password' which transmit their information to a remote web server over plain text. An attacker eavesdropping the traffic might use this setup to obtain logins and passwords of valid users.

    Solution : Make sure that every form transmits its results over HTTPS

    Risk factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Page : /myaccount.asp Destination page : login.asp?ordertracking=1 Input name : password
    I have made the navigation on the site point to these pages, however this should be done automatically. any form which requests a password should be made secure without additional action from the user or administrator.
    Last edited by bristweb; 04-26-2008, 05:20 PM.