Post by kaylamatthews » Thu Oct 18, 2012 12:31 pm

If anybody can help it would be very appreciated. My web host is allegedly PCI compliant but I have not been able to pass a scan.

The error that cannot pass is "HTTP Server Username Probing", and here is the latest recommendation from my web host:
PCI compliance with this particular 'user-probing' issue is not passing because your website has certain rewrite rules which are catching non existent pages. For example, the following URL is an example where the PCI scan expects either 404 or 403 error (i.e not found/forbidden):

http://domain-name.com/~tadabc/

Instead, since there is no such page, your website returns 200 OK status and displays an HTML page instead.

We can overcome this, by disabling the SEO URLs until the scan completes, but it would be really much better to mark it as false-positive, as described in your previous ticket.
So basically I need to turn off SEO URL every time for the scan and turn it back on...doesn't sound right?

My compliance company is Trustwave, and I see above that somebody has managed to be compliant with them.

I am using Opencart 1.5.0 and the native Authorize.net module with an SSL certificate.

New member

Posts

Joined
Wed Jun 01, 2011 12:30 pm

Post by rph » Thu Oct 18, 2012 2:10 pm

If at all possible I'd recommend upgrading your store as there is an XSS double-encoding issue in older 1.5.x stores which may come up also with PCI scanning.

All I get is 404 headers when trying to reproduce the issue in a standard 1.5.0 install so you likely have some additional settings in .htaccess that's causing it. Your host is suggesting you report it as a false positive, which will require you to provide technical information to TrustWave (which I assume they provided in the previous email the support tech mentions).

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by Cosmological » Mon Mar 25, 2013 3:32 am

Hello

I'm running 1.5.5.1, and have just run into the same McAfee PCI scan issue as discussed here nearly 18 months ago.

Namely: "User specified URL redirection (Open Redirect)"

A few similar instances flagged up, the following is typical:
/index.php
Query route=module/language
Headers Referer=https%3A%2F%2Fwww.mydomain.co.uk%2F
Content-Type=multipart%2Fform-data%3B+boundary%3DX
Body --X Content-Disposition: form-data; name="language_code" en --X Content-Disposition: form-data; name
The McAfee "demo" demonstrates how a redirect may be inserted into the URL to redirect a visitor to the McAfree web page.

Is there a core fix in the pipeline for this (domain whitelist or something?), being that it's apparently been an issue for a while now? I haven't attempted to patch it myself yet - a bit reticent to start down that road especially considering the changes discussed earlier on this thread apply to earlier versions.

Thanks
Dan

Newbie

Posts

Joined
Thu Jan 10, 2013 6:53 am

Post by Demon5 » Sun May 12, 2013 5:35 pm

avvici wrote:Ok I mean really. ::) All this PCI this, PCI that. Most customers don't even know what it is let alone ask...
1) Install SSL on your server (preferably Dedicated IP and not shared SSL. If you are wondering why just run a search there are tons of posts about it. Show your customers you are a safe haven for entering such things as credit card numbers and email addresses. Have a privacy policy that talks about what you do with the data you take.
2) Don't store sensitive data on the server including CCV, CC numbers, SS numbers or what have you. 0 Liability means you get to leave it up to the powers that be that are already set up to do this ie Pay Pal, A.net, ogone, Sage pay and many more.

Other than that...relax and don't waste tons of money on silly PCI scanners (unless you think it will boost customer sales. Yes, having MACAFEE SECURE on your site can boost sales but only because of the NAME. Vulnerabilities, loop holes, weak spots, potential security holes can be found without them and frequently are. Out of the box Open Cart (as a developer and being familiar with different hacks and phishing techniques) has got a ton of potential in the realm of security which is great news because it means most of the work is already done for you.

If you are brave enough (or MUST ) store Social Security Numbers or CC numbers on your rack and have the capital to back a real PCI program/logic then by all means.....worry...and do your thing;) Do your thing.... If not, buy an SSL, have a beer....and make some money

Hey bud. PCI scanning is NOT about the customers feeling safe. Many merchant accounts REQUIRE you to pass PCI scans to process cards on your site without having to transfer over to them like google and paypal standard methods do. If they enter card on your site and you have things like authorize.net or firstdata they require you to pass pci scanning. Some will charge you extra fee's and some will totally shut down your merchant services so you can't collect through unsafe cart software. You need to have server patched up heavily. Have new php/apache/openssl/sql. Have certain protocols operating under certain conditions to pass. And then on top of that all the code on the cart site must also pass the pci scans or they can take action including not allowing you to process cards.

They are much less likely to take action if you are some random store doin 50 dollars in transactions a month than they would when they look at a site like mine but they still can do it.

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by CamaroSS » Mon Mar 23, 2015 4:51 am

Hi,

My OpenCart site isn't passing PCI compliance anymore. If I purchase an SSL, will that fix my problem?

Thanks,

Julian

New member

Posts

Joined
Tue Jun 25, 2013 11:53 pm

Post by Cosmological » Mon Mar 23, 2015 5:14 am

CamaroSS wrote:
My OpenCart site isn't passing PCI compliance anymore. If I purchase an SSL, will that fix my problem?
An examination of your PCI audit results will tell you why your website is failing compliance.

A valid SSL certificate would be a prerequisite. There are free options available, by the way, which may be appropriate for your needs.

If you're not handling customer card data on your server, then PCI requirements are less stringent, although you certainly should still ensure that your servers are well configured, secured and maintained, so that customer data is kept secure - and yes, use TLS.

If you are doing your own processing (rather than passing off to a Gateway service) then I'd strongly suggest hiring someone who knows what they're doing to secure your servers. With all due respect, if your'e asking a question like this then you don't have the knowledge level required to secure web servers to PCI standard.

Newbie

Posts

Joined
Thu Jan 10, 2013 6:53 am
Who is online

Users browsing this forum: No registered users and 35 guests