How can I fix the above?Description: Web Server Uses Plain Text Authentication Forms Synoposis: The remote web server might transmit credentials in cleartext. Impact: The remote web server contains several HTML form fields containing an input of type
'password' which transmit their information to a remote web server in cleartext. An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users. Data Received: Page : /wp-login.php
Destination page :Input name : pwd
Other references : CWE:522, CWE:523, CWE:718, CWE:724 Resolution: Make
sure that every sensitive form transmits content over HTTPS. Risk Factor:
Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C:P/I:N/A:N
Hi guys, I'm trying to get an opencart website PCI compliant and one of the issues I'm facing is this...
Last edited by wackyracer8 on Tue Nov 06, 2012 7:50 am, edited 1 time in total.
Indeed, just make sure that you actually have an SSL installed on your server. Once you do enable like RPH suggested make sure that you open your config.php and admin/config.php and make sure the path's are correctrph wrote:Enable SSL for your store in System > Settings > [Edit] > Server.
From
Code: Select all
// HTTPS
define('HTTPS_SERVER', 'http://www.domain.com/');
define('HTTPS_IMAGE', 'http://www.domain.com/image/'); Code: Select all
// HTTPS
define('HTTPS_SERVER', 'https://www.domain.com/');
define('HTTPS_IMAGE', 'https://www..com/image/'); 
/wp-login.php isn't an OC file... it's WordPress isn't it. Are you running a WP site as well, do you have to turn on SSL somewhere is WP admin?
I heart cmd-f, cmd-c, cmd-v, cmd-z + vQmod.
My favourite page...
v1.5.4.1
yeah wordpress has it, that is just one of the errors. I think it may be the config file for OC, it may be going to the wrong place, will check tomorrow for that.
Okay so I managed to sort the one above, it was actually related to Wordpress! I deleted it as I was not really needed and that error has gone. I have another though...
Any ideas how to fix? I have SSL turned on as well and got the config going to https.
Now I have been told this is because I have links in OC that are going to http://www.domain.com instead of https://www.domain.com. Is this true? I've scanned the files and there are no http://domain.com hardcoded.Description: Web Server Uses Basic Authentication Without HTTPS Synoposis: The remote web server seems to transmit credentials in clear text. Impact: The remote web server contains web pages that are protected by 'Basic' authentication over plain text. An attacker eavesdropping the traffic might obtain logins and passwords of valid users. Data Received: The following pages are protected. /:/ realm="cPanel WebDisk" Resolution: Make sure that HTTP authentication is transmitted over HTTPS. Risk Factor: Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C:P/I:N/A:N
Any ideas how to fix? I have SSL turned on as well and got the config going to https.
Who is online
Users browsing this forum: No registered users and 386 guests
