We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Client requiring PCI compliance

July 12, 2012 12:35pm

Subscribe [4]

  • #1 / Jul 12, 2012 12:35pm

    Chris Arnold

    201 posts

    A client of ours needs total PCI compliance (medical-related website). We initially passed the first scan last month with help from our host and all seemed fine. But this week a new scan failed at the login screen for EE. The details:

    Path: /admin/admin.php?S=0=cp=login
    Poor authentication practices may leave the web application vulnerable to authentication attacks.

    Solution:
    To use HTML form-based authentication more securely in web applications, do the following:
    - Remove the value attribute from the INPUT tag corresponding to the password field.
    - Submit all forms to an SSL-enabled (https) service using the form’s action attribute.
    - Place all protected web directories on an SSL-enabled (https) service.
    - Use the autocomplete=“off” attribute in the INPUT tag corresponding to the password field.

    A few things. We access the CP through /adm and not /admin. I also did a search on HTTPS for the CP and didn’t find much definitive information in return (just a handful of broken / hacky options). Wasn’t sure, too, if I could manually adjust the login form HTML itself to mitigate the scan error.

    What do you think?

  • #2 / Jul 12, 2012 2:44pm

    Enviromed

    375 posts

    Have you considered http://devot-ee.com/add-ons/force-ssl?

  • #3 / Jul 12, 2012 3:25pm

    Chris Arnold

    201 posts

    Interesting. We’re already using the free DM Force SSL plugin for a few pages on the site. Any idea if this works in the CP? I’ll contact the dev, too.

  • #4 / Jul 16, 2012 11:04am

    Shane Eckert

    7174 posts

    Hey Chris,

    That Add-On looks promising. Would you mind reporting back here as to what you find?

    Thank you,

  • #5 / Jul 16, 2012 11:07am

    Chris Arnold

    201 posts

    I am in communication with the dev at this time. He is working on a revision to get to me in a day or two. I will report back. Thanks.

  • #6 / Jul 17, 2012 1:28pm

    Shane Eckert

    7174 posts

    Hey Chris,

    Awesome. I will be on the lookout for your update!

    Cheers,

  • #7 / Jul 20, 2012 12:52pm

    Chris Arnold

    201 posts

    It looks like the Force SSL add-on may work. I have been in contact with the dev who managed to setup a truly HTTPS control panel (after a few days of modification). Still a few small kinks, but it’s doing what it’s supposed to at the first few glances here.

  • #8 / Jul 20, 2012 5:34pm

    Shane Eckert

    7174 posts

    Hey Chris,

    Awesome. Thanks for the update.

    I will keep this open a bit if you would like.

    Cheers,

  • #9 / Jul 20, 2012 5:35pm

    Chris Arnold

    201 posts

    I think we’ll be all set. Feel free to close it down. I will repost if needed. Thanks!

  • #10 / Jul 20, 2012 5:38pm

    Shane Eckert

    7174 posts

    Hey Chris,

    Sounds good!

    If you need anything else, please just let me know by opening a new thread.

    Cheers,

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register