yellowbellys Posted April 5, 2015 Share Posted April 5, 2015 I've attached my Trustwave PCI Certification Network Vulnerability scan, and as you can, I'm failing it based on five (5) "Unencrypted Communication Channel Accessibility" issues and one (1) "Web Application Transmits Login Credentials Without Encryption" issue. The full PDF contains more information, what needs to be fixed? trustwave_asv_report.pdf Link to comment Share on other sites More sharing options...
bellini13 Posted April 5, 2015 Share Posted April 5, 2015 unfortunately this report is useless, since it does not state what is unencrypted. I would suggest you contact them and ask them to provide the detail as to what files or resources they have discovered that are unencrypted Link to comment Share on other sites More sharing options...
yellowbellys Posted April 6, 2015 Author Share Posted April 6, 2015 (edited) Right, I have found all of the details, here they are: Web Application Transmits Login Credentials Without Encryption Description: There is a web application running on this host that transmits login credentials over HTTP, which is a clear-text protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information. Remediation: All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such redirection occurs on the server side of the system (for example via the use of the HTTP "Location" header element) and that redirection is not reliant upon the client (browser) side. Unencrypted Communication Channel Accessibility On ports: 21, 25, 26, 110, 143 Description: The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty. Remediation: Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a "whitelist") whenever possible. Edited April 6, 2015 by yellowbellys (see edit history) Link to comment Share on other sites More sharing options...
bellini13 Posted April 7, 2015 Share Posted April 7, 2015 for the first one, you need to ensure you have an SSL certificate installed, and that all your page requests are using it. Again, they are not providing exactly what resource so I cannot say that this is Prestashop or some other web application you might have installed. For the second one, that is not related to Prestashop in anyway. you should speak with your hosting company about remediating those ports. Link to comment Share on other sites More sharing options...
yellowbellys Posted April 7, 2015 Author Share Posted April 7, 2015 Here is the "evidence" of each test: Unencrypted Communication Channel Accessibility Port 21: Port 25: Port 26: Port 110: Port 143: Web Application Transmits Login Credentials Without Encryption Port 2077: Does any of this pertain to Prestashop? Link to comment Share on other sites More sharing options...
bellini13 Posted April 7, 2015 Share Posted April 7, 2015 as I said before, take up the port issues with your hosting provider, that has nothing to do with Prestashop port 2077 also has nothing to do with Prestashop, you have something else installed (perhaps the servers control panel?) that is listening on that port. again, this is an issue for your hosting provider to resolve. Link to comment Share on other sites More sharing options...
yellowbellys Posted April 7, 2015 Author Share Posted April 7, 2015 Okay thanks, I'll let them know Prestashop is ruled out. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now