Kryptronic Software Support Forum
You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
#1 09-21-2012 10:10:46
- imre
- Member
- Registered: 08-24-2007
- Posts: 13
PCI compliance transmission of login data.
Hi Folks,
We are using security metrics and have pretty much worked thru all of their PCI compliance issues. This is the last problem:
For: Web Server Uses Basic Authentication Without HTTPS
All username and passwords must transmit over https only.
"https://www.yourdomain.com/index.php?app=cms&ns=login&sid=011r9673jl8vp01tj7l262j0w902brct&portrelay=1"
can have the "s" removed and transmit insecurely
"http://www.yourdomain.com/index.php?app=cms&ns=login&sid=011r9673jl8vp01tj7l262j0w902brct&portrelay=1"
Any ideas with this? We never used to have this type of failure. Is this a CCP or server issue?
Thanks,
Paul
Last edited by imre (09-21-2012 10:12:40)
Offline
#2 09-28-2012 11:21:41
- imre
- Member
- Registered: 08-24-2007
- Posts: 13
Re: PCI compliance transmission of login data.
Well, I can say that to gain PCI compliance has been quite a process.
The CCP clearly needs some work done to it to make it PCI compliant
These directories cause pop up boxes that can be seen in http
/private
/downloads
Solution: Use .htaccess to deny access to everyone (until you need to manage the shop)
The login and checkout url problem mentioned in this thread also needs to be fixed.
We tried to put the entire shop into https and then found we had other problems such as adding to cart would fail.
So certain url strings had to be forced into https by editing skip.php
<?php
if( $_SERVER['SERVER_NAME'] == "domain.com")
{
header('Location: http://www.domain.com');
exit;
}
if($_GET['ns'] == 'checkoutfn' && ( !isset( $_SERVER['HTTPS'] ) || $_SERVER['HTTPS']!=='on' )){
header('Location: http://www.domain.com');
}
if($_GET['ns'] == 'login' && ( !isset( $_SERVER['HTTPS'] ) || $_SERVER['HTTPS']!=='on' )){
header('Location: http://www.domain.com');
}
?>
Offline
#3 09-29-2012 00:32:27
Re: PCI compliance transmission of login data.
These directories cause pop up boxes that can be seen in http
/private
/downloads
These popup login screens are a result of the webserver and not ccp, you can add this to the htaccess file in both directories and force the request to https
Code:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "your_site.com"
ErrorDocument 403 https://your_site.comreplace your_site.com with your actual url.
All username and passwords must transmit over https only.
As for getting ccp's login screen under http yes you can get the screen where you type in the information but in a closer look at the actual form being produced, the form is submitted under https, that is if you have a valid and properly installed security certificate and your secure url entered into the private_dir/config.php file.
Code:
<form action="https://www.yourdomain.com/index.php" method="post" id="core--login">
Only the actual domain name was changed in the example above and the https form opener was present even if the "s" was removed from the https url request, but still the actual form is submitted under https.
Getting ccp to run totally under https is doable as well, you have to run the installer or edit the private_dir/config.php file and insert your https url in both the non-secure and secure url fields, it would also be a good idea to only allow the webserver to answer to port 443 (or what ever secure port open/inuse on the server).
John
Offline
#4 10-01-2012 11:41:25
Re: PCI compliance transmission of login data.
FYI... The version 8 ClickCartPro login screens direct automatically to https when accessed via http due to this new PCI requirement. It's a difficult mod to put into v7, but we can do it via a custom shop job if anyone is interested.
Nick Hendler
Offline
#5 10-12-2012 15:07:46
- larry
- Member
- Registered: 07-21-2003
- Posts: 437
Re: PCI compliance transmission of login data.
imre wrote:
These directories cause pop up boxes that can be seen in http
/private
/downloads
Solution: Use .htaccess to deny access to everyone (until you need to manage the shop)
Would you provide the .htaccess command to deny access to everyone for the downloads directory?
We use Trustwave and the PCI scanner flagged that directory with the same issue. So far, they have not flagged any other issues with http and https, but I'm sure it is only a matter of time...
Laurie Stephens
Offline