There is a web application running on this host that transmits login credentials over HTTP, which is a cleartext protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information.
This references pages like: http://www.awesomedice.com/admin/index. ... mmon/login
Any idea how to fix this issue? I have no idea why this is just showing up in the PCI scan now, when it wasn't an issue in any previous scans.
Give a man a fire and you make him warm for a day. Light a man on fire, and you make him warm for the rest of his life.
http://www.awesomedice.com
To take care of the specific Admin issue they cite add or edit the .htaccess in your /admin folder to include:
Code: Select all
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.awesomedice.com/admin/ [R]
-Ryan
When I put that into a .htaccess file in the /admin folder, it does indeed switch me over to https:// automatically; however, all attempts to login then fail. Furthermore I still get this warning when trying to login:
"Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?"
Give a man a fire and you make him warm for a day. Light a man on fire, and you make him warm for the rest of his life.
http://www.awesomedice.com
rph wrote:If you haven't already turn on SSL for your store in System > Settings > Edit > Server. I think that will take care of everything in the storefront (you might still be able to force http but I can't remember for sure).
To take care of the specific Admin issue they cite add or edit the .htaccess in your /admin folder to include:
This will force re-direct everything in Admin to https.Code: Select all
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://www.awesomedice.com/admin/ [R]
Thanks for the great tip.
DL
This account is inactive. Look for us under the name 'EvolveWebHosting' and contact us under that username.
Thanks!
DL
This account is inactive. Look for us under the name 'EvolveWebHosting' and contact us under that username.
Thanks!
Again, it is turned on. In System > Settings > Server the "Use SSL" has the "Yes" checked.rph wrote:It means you don't have SSL turned on.
I'm still getting the PCI Compliance failure notices -- any other thoughts?
Give a man a fire and you make him warm for a day. Light a man on fire, and you make him warm for the rest of his life.
http://www.awesomedice.com
Give a man a fire and you make him warm for a day. Light a man on fire, and you make him warm for the rest of his life.
http://www.awesomedice.com
You lost me.... please explain a little bit more.rph wrote:It needs to be in the admin folder, not the store base.
Thanks.
DL
This account is inactive. Look for us under the name 'EvolveWebHosting' and contact us under that username.
Thanks!
You need the code in the htaccess file in the admin folder, not in the store folder.cwswebdesign wrote:You lost me.... please explain a little bit more.rph wrote:It needs to be in the admin folder, not the store base.
Thanks.
DL
for example, if you installed opencart in a directory called store, you would have a folder instide that called admin, you need it in that admin folder, not in the store htaccess folder.
smifis wrote:You need the code in the htaccess file in the admin folder, not in the store folder.cwswebdesign wrote:You lost me.... please explain a little bit more.rph wrote:It needs to be in the admin folder, not the store base.
Thanks.
DL
for example, if you installed opencart in a directory called store, you would have a folder instide that called admin, you need it in that admin folder, not in the store htaccess folder.
Gotcha. That's what I thought was meant, but wanted to double check. Thanks.
This account is inactive. Look for us under the name 'EvolveWebHosting' and contact us under that username.
Thanks!
Give a man a fire and you make him warm for a day. Light a man on fire, and you make him warm for the rest of his life.
http://www.awesomedice.com
I use Authorize.net for my credit card processor for my Opencart site.
I have used Authorize.net for over 12 years. Sekurity Merchants are the ones I go thru to use Authorize.net.
Opencart version 2.3.0.2
SSL Certificate installed
Failed PCI Compliance with SecurityMetrics.com. Security Metrics was recently partnered with Sekurity Merchants and so my PCI Compliance needed to be updated to them running it. I was racking my brains and looking in the forums to see how to fix or why it might be failing. THEN my rep for Sekurity Merchants was kind of enough to call and say she noticed the fail and asked how she could help. She got on the phone with me and Security Metrics to have them talk thru any missing information they might need to get the PCI Compliance to pass. The first thing he noticed was that there was not an IP address listed for the site. He simply told me to go to securitymetrics.com and look in the bottom left corner of the page to find my ip address and to give him the numbers. He ran the scan and we PASSED. I did not alter any code, etc... it was something as simple as them not having all the information. So if you continually rack your brains and alter code, it could be something as simple as that. Just wanted to give everyone that little bit of advice. Not sure if it will work for you. But it worked for me.
Johnni
p.s. And this is not a plug for SecurityMetrics or Sekure Merchants. But I did notice that people that had Security Metrics scans were coming up with a fail. So this may be your issue, too.
Users browsing this forum: No registered users and 88 guests