back to scot's scripts home
Not logged in.     Scot's Scripts Forum: 107 users, rooms, 87 discussions, 504 messages, and 3 files.   Scot's Scripts Forum system rss feed


McAfee PCI Compliance Scan Fails Scots Mailing Listback to discussions

1. 05/12/2009 12:27:52, Greg
A recent PCI Compliance scan from McAfee failed. I talked to my host (Hostasaurus)and they explain the reason for the failure as

"They have discovered your Scot's Mailing List application's interface at /scotmail/scotmail.mvc and are failing you because of the fact that you can get to the admin login page insecurely."

Can someone offer some insight as to how we can overcome this situation. We did update the app to the current 3.33d version and resubmitted to McAfee but failed again.

Thanking you in advance for any help offered.

Greg
#369
2. 05/12/2009 12:38:48, Scot
Hi,

Anyone in the world can get to the Scot's Mailing List admin login page, just like anyone in the world can get to your miva merchant admin login page. Hopefully you have a good login and password so that people can't get INTO the admin.

So, if you'll give me a detailed explanation of the problem and what McAffee wants in order to resolve it, I'll do what I can.

Unless I'm missing something here, I don't see an issue unless you've left your scot's mailing list in test mode?  If that's the case, anyone in the world can get into your admin but it's easily fixed by going into the scot's mailng list system configuration.

Scot
#370
3. 05/12/2009 12:46:27, Greg
Thanks for the prompt reply Scot. I have listed below the details from McAfee that they have given to me.

The remote host appears to allow logins over unencrypted (HTTP) connections. This means that a user's login information is sent over the internet in clear text. An attacker may be able to uncover login names and passwords by sniffing network traffic.
Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing login information to the web server, use HTTPS (SSLv3, TLS 1) instead of HTTP.

What is your take on this?

Greg
#371
4. 05/12/2009 13:36:35, Scot
Hi,

Apparently they think you need to use a secure server for Scot's Mailing List, that's all I can see.  If you're worried, you should log into scot's mailing list via https instead of http.

Scot
#372
5. 05/14/2009 12:31:08, Greg
Scot,

I'm not worried at all. However, McAfee will not pass me on the PCI Compliance. I tried to slip by by telling them it was just an interface for customers to sign up for our newsletter. They didn't buy that. They know it is a admin page. Their response is as follows:

"This looks like the admin page. Can you make sure that https is explicitly called in the form tag? "

I assume this would mean some type of edit to the software. I'm not a coder or developer. Can the above be accomplished to satisfy these idiots.

Any help is much appreciated.

Greg
#373
6. 05/14/2009 12:42:06, Scot
I think it would take me putting some configuration variables into the system so you can specify y our secure server and if you want to log in that way, similar to how miva merchant does it.

However, if you have a secure server, I think you could change the http in the signup form to https and then when mcafee follows that form or whatever they are doing, the scot's mailing list system will be served by your secure server instead of the regular one.

To further clarify (or muddle, hmm?), if you access scot's mailing list via https instead of http, all the links should follow that you're on https because they are not hard coded into the script, they use the miva environment to create that part of the links.
#374
7. 05/14/2009 13:16:26, Greg
Ok, I changed the link in the signup form to https. I will resubmit to McAfee to scan again. However, I think they are looking specifically at the admin page. I don't see how the above action affects the admin page.
#375
8. 05/14/2009 13:24:33, Scot
How would they know where the admin page is, however, unless they are following the link from your form?  If they follow it from an https form, I think the admin link will also be https.
#376
9. 05/16/2009 12:02:21, Greg
I changed the link to the signup form from http to https. So now when a customer clicks on the subscribe link they go to https://premierproductsonline.com/scotmail/scotmail.mvc?action=subscribe2

Unfortunately, this did not solve my problem. McAfee is still failing me for the Unencrypted Login Information Disclosure vulnerability at /scotmail/scotmail.mvc on our server hosted with hostasaurus.

Any other thoughts?

Greg
#377
10. 05/16/2009 13:48:06, Scot
Hi Greg,

No, no other thoughts.  If you can get the details of what exactly they mean by "Unencrypted Login Information Disclosure Vulnerability" I'll be happy to try to fix it in the next update.

Scot
#378
11. 10/14/2009 11:45:51, sassyronin
Whether McAfee is just going to the standard URL for the list admin or following a link, you can force the mailing list page to use https:// instead of http:// by adding three lines to your .htaccess file:

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^scotmail/scotmail.mvc$ https://www.yoursite.com/scotmail/scotmail.mvc

Pretty sure that should solve your problem. (Sorry I didn't see this back in May.)
#414
Login for full access, or create an account.

email address: password:
Scot's Simple Forum, v 1.02 • copyright © by Scot Ranney • visit ScotsScripts.com for support