As part of our PCI Compliance project and in work with clients trying to reach compliance, I’ve noticed a new criteria that will catch many web sites. The issue involves web authentication forms.
Authentication Forms
Recently in our work with ControlScan, SecurityMetrics and other PCI scanning vendors, we’ve noticed an increasing number of the following issues:
ControlScan report:
Web Server Uses Plain Text Authentication Forms Risk Port / Protocol ID Family: Web Services High 80 / tcp 26194 Synopsis: The remote web server might transmit credentials over clear text Solution: Make sure that every form transmits its results over HTTPS Description: The remote web server contains several HTML forms containing an input of type 'password' which transmit their information to a remote web server over plain text.
An attacker eavesdropping the traffic might use this setup to obtain logins and passwords of valid users.
Page : /index.php/eng/content Destination page : /index.php/eng/user/login Input name : Password
Page : /index.php/eng/content/?D=A Destination page : /index.php/eng/user/login Input name : Password CVSS(2) Base Score: 5.0 CVSS(2) Base Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
The issue is pages that have login information, such as webmail, member areas, admin areas that are not using HTTPS. Technically, there is no security risk by having the entrance page in HTTP provided that it POST via a secured (HTTPS) connection. However, for scanning purposes, vendors are flagging these pages.
I recently had to go to bat for a client regarding a login box that he had on every page of his site. The login box was used to access account information. Once you clicked the submit button the system would POST via an HTTPS link, but the scanning vendor flagged the page as being insecure. The severity level was high enough to cause the site to fail the PCI scan.
Time to Clean Up
If you are running a site that accepts credit cards (either directly or via a third party), I recommend you start reviewing your site for trivial issues such as member forms being called through HTTP. For large sites, fixing these items may be non-trivial. For our client, his login box was on every page of a 100+ page site. So changing this on the fly would mean converting the entire site to HTTPS.
Also, as I noted years ago, it is time to end clear text protocols. Most systems now support IMAP/POP3/SMTP over SSL. I would expect to see clear text protocols to be the next target on the PCI scanners list of bad practices to avoid.
The Short Version
If you have web forms and are or may become subject to PCI scanning rules, start to clean up your site now. Make sure any forms that collect login or other personal information are called via HTTPS only.