PDA

View Full Version : web server uses cleartext HTTP Basic authentication



lindsay
12-13-2010, 02:54 PM
Hello,
One of my site's PCI scan has a vulnerability of 3. The issue is that the web server uses cleartext HTTP Basic authentication. How can I fix this? Any advice is greatly appreciated. Thank you! This is the complete vulnerability description:

Description: web server uses cleartext HTTP Basic authentication (/) Severity: Potential Problem Impact: Poor authentication practices may leave the web application vulnerable to authentication attacks. Background: Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This type of authentication is achieved us ing the HTML INPUT element with the type attribute set to password. Resolution To use HTML form-based authentication more securely in web applications, do the following: Remove the value attribute from the INPUT tag corresponding to the password field. Submit all forms to an SSL-enabled (https) service using the form's action attribute. Place all protected web directories on an SSL-enabled (https) service. Use the autocomplete="off" attribute in the INPUT tag corres ponding to the password field. Vulnerability Details:
Service: 2077:TCP Received: WWW-Authenticate: Basic realm="cPanel WebDisk"

JohnW
12-14-2010, 12:32 AM
That is a WHM/Cpanel server setting that the webhost/server admin controls and 2077 isn't a secure SSL log in. 2078 is secure https log in for that. Cpanel has secure ports and non secure but if you're running PCI scans then you probably want to be on a more secure server. The secure log ins are 2078,2083,2087 on Cpanel.

lindsay
12-14-2010, 08:09 AM
Hello,
Is this something that they may be able to adjust? I will speak with my hosting company and see what they can do. Thank you for your help! Have a great December!
Lindsay

JohnW
12-14-2010, 08:39 AM
If I were you I would look for a host that is concerned with PCI compliance without you having to push them to it. Your host may have a better suited server. Budget hosting is one of the reasons PCI compliance is done. You can find hosts that are PCI compliant and FYI Michael has AAbox hosting so you could talk to him.

Bottom line is don't penny pinch on hosting because it will bite you in the...

lindsay
12-14-2010, 08:55 AM
I will keep his hosting company in mind. It would be nice to have all of that support. Thank you for the advice!