during a recent PCI compliance test, I noticed a warning which could be easily fixed
Quote:
Security warning found on port/service "http (80/tcp)"
Plugin "Web Server Uses Plain Text Authentication Forms"
Category "Web Servers"
Priority Ranking "Medium Priority"
Synopsis : The remote web server might transmit credentials over clear text Description : The remote web server contains several HTML forms containing an input of type 'password' which transmit their information to a remote web server over plain text. An attacker eavesdropping the traffic might use this setup to obtain logins and passwords of valid users.
Solution : Make sure that every form transmits its results over HTTPS
Risk factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Page : /myaccount.asp Destination page : login.asp?ordertracking=1 Input name : password
|
I have made the navigation on the site point to these pages, however this should be done automatically. any form which requests a password should be made secure without additional action from the user or administrator.
PCI compliance
Linear Mode
