Rank: Member
Joined: 3/1/2004(UTC)
Posts: 20
|
On behalf of a client upgraded to version 5.7 because they were trying to achieve pci compliance. The last hurdle we faced was to deal with unencrypted logons. I am going to detail in below in the hopes that a solution will present itself and also this may help others.
First note though, that the store skin is Tek Gear Redux, so the issue/solution may or may not apply to the default skin for the shopping cart.
So the client was using Mcafee to test for pci compliance and the last hurdle after the upgrade was as below:
[color=green>NameUnencrypted]CategoryHTTP - Web ApplicationSeverity Medium High In PCI
ImpactInformation Disclosure
CVSS v2 FingerprintAV:N/AC:L/Au:N/C:P/I:P/A:NCVSS Score[/color]
[color=green></FONT>
</b>ion
The remote host appears to allow logins over unencrypted (HTTP) connections. This means that a user's login information is sent over the internet in clear text. An attacker may be able to uncover login names and passwords by sniffing network traffic.[/color]
[color=green>
<FONT]Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing login information to the web server, use HTTPS (SSLv3, TLS 1) instead of HTTP.[/color]
So the solution was to "force ssl on the login.aspx page". This force was done directly in IIS (version 6).
This creates a new problem, because now the sign in & my account links on the home page are coded to go to http instead of the ssl secured https.
As far as I can tell the issue stems from the way the user control login.aspx.vb works since it doesn't recognize that we need to go to an ssl page.
The code that I think is at issue is below:
Imports BVSoftware.Bvc5.Core
Partial Class BVModules_Themes_TekGearRedux_LoginMenu
Inherits System.Web.UI.UserControl
Dim _ShowUserName As Boolean = False
Public Property ShowUserName() As Boolean
Get
Return _ShowUserName
End Get
Set(ByVal value As Boolean)
_ShowUserName = value
End Set
End Property
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Dim s As New StringBuilder
If SessionManager.IsUserAuthenticated = True Then
s.Append("<a href=""" & Page.ResolveUrl("~/logout.aspx") & """ class=""lnkSignOut"">")
If _ShowUserName = True Then
Dim u As Membership.UserAccount = Membership.UserAccount.FindByBvin(SessionManager.GetCurrentUserId)
s.Append("Sign Out (" & u.FirstName & " " & u.LastName & ")")
Else
s.Append("Sign Out")
End If
s.Append("</a>")
Me.litLogin.Text = s.ToString
Else
Dim destination As String = Page.ResolveUrl("~/Login.aspx")
s.Append("<a href=""" & destination & """ class=""lnkSignIn"">")
s.Append("Sign In")
s.Append("</a>")
Me.litLogin.Text = s.ToString
End If
End Sub
End Class |
|
|
|
|
|
|
Rank: Member
Joined: 3/1/2004(UTC)
Posts: 20
|
Just a little add on note in case it helps. I did just now figure out a work around on this. I added a custom error page for all 403.4 errors (ssl required), then in iis did a permanent redirect on the custom error page to the login page. (in case you are wondering why the custom error page isn't directly the login page, it is because IIS didn't seem to like that, something about absolute url's).
So even though I have a work around I would still like to have the "proper" solution to this. |
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.