Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (3)

Resolved Failed PCI Compliance scan because login is accessible from http (port 80)

  1. Issue
1
Votes
Undo
  1. Trevor Holyoak
    Trevor Holyoak
  2. PowerServer 2020 or older (Obsolete)
  3. Thursday, 29 April 2021 16:50 PM UTC

Is there a way to fix this? The server automatically redirects to HTTPS when the initial web connection is made, but apparently when the IWA login dialog comes up it just uses HTTP? Is there a setting we need to change, or is this a deeper problem?

 

This is what the scan results say:

The Web server uses plain-text form based authentication. A web page exists on the target host which uses an HTML login form. This data is sent from the client to the server in plain-text.

GET /servlet/ HTTP/1.0 Host: {ip address removed} Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Content-Type: %{(#nike='multipart/form-data& apos;).(#dm=@ognl.OgnlContext@DEFAULT_MEMB ER_ACCESS).(#_memberAccess?(#_memberAcces s=#dm):((#container=#context['com.opensymp hony.xwork2.ActionContext.container']).(#ognl Util=#container.getInstance(@com.opensymphony.xw ork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPa ckageNames().clear()).(#ognlUtil.getExcludedClasses ().clear()).(#context.setMemberAccess(#dm)))).(#cmd linux='ifconfig').(#cmdwin='ipconfi g').(#iswin=(@java.lang.System@getProperty( 'os.name').toLowerCase().contains(&ap os;win'))).(#cmds=(#iswin?{'cmd.exe&ap os;,'/c',#cmdwin}:{'/bin/bash&apos;,'-c',#cmdlinux})).(#p=new java.lang.Pro cessBuilder(#cmds)).(#p.redirectErrorStream(true)).(# process=#p.start()).(#ros=(@org.apache.struts2.Servl etActionContext@getResponse().getOutputStream())) .(@org.apache.commons.io.IOUtils@copy(#process.g etInputStream(),#ros)).(#ros.flush())} <form name="LogonForm" method=&qu ot;post" action="./Logon.aspx?ReturnUrl= %2fservlet%2f" id="LogonForm" styl e=" width:330px;" autocomplete="off "> <input type="hidden" name="__VI EWSTATE" id="__VIEWSTATE" val ue="/wEPDwUJMzU4MzUwNDk4D2QWBgICD 2QWAgICDw9kFgIeCm9ua2V5cHJlc3MFGktleXByZX NzQ2hlY2soJ05VTUxFVFVORCcpZAIDDxYCHgRUZ Xh0BS1BcHBlb24gUG93ZXJTZXJ2ZXIgMjAyMCZuY nNwQnVpbGQmbmJzcDIzMjMuMDBkAgUPFgIeCWl ubmVyaHRtbGVkZFv1uIy24hgqz6b76aLqjSBWnmXy 5Z8+sia4CcFL859T" /> <input type="hidden" name="__VI EWSTATEGENERATOR" id="__VIEWSTA TEGENERATOR" value="79179283" /> <div class="input-infor"> <label> <!--<bean:message key="text.common.user name" />--> &nbsp;&nbsp;<span id="lblUser&qu ot;>User name</span>: </label> <!--<html:text property="username" /& gt;--> <input name="username" type="text" maxlength="30" id="userna me" onkeypress="KeypressCheck(& #39;NUMLETUND&#39;)" /> </div> <div class="input-infor"> <label> <!--<bean:message key="text.lable.passwor d" />--> &nbsp;&nbsp;<span id="lblPasswor d">Password</span>: </label> <!--<html:password property="password&qu ot; />--> <input name="password" type="pa ssword" id="password" /> </div> <div class="submit-infor"> <span class="submitSpan"> <!--<html:submit styleClass="button"& gt; <bean:message key="text.button.logon" /> </html:submit> --> <input type="submit" name="btnS ubmit" value="Logon" id="btnS ubmit" class="button" />

PowerServer 2021 Beta Question
The column type does not match
Accepted Answer
Ken Guo @Appeon
Ken Guo @Appeon Accepted Answer Pending Moderation
  1. Friday, 14 May 2021 09:00 AM UTC
  2. PowerServer 2020 or older (Obsolete)
  3. # Permalink

Hi Trevor,

 

We’ve verified locally but didn’t reproduce this issue.

 

When we accessed the PowerServer Web application using HTTPS, the LDAP login window was also using the HTTPS protocol. As shown in the screenshot below.

 

Did you set it to automatically redirect to HTTPS in order to be able to access your application with HTTP? If yes, then we need you to check if you’ve redirected all HTTP requests to HTTPS.

 

 

Regards,

Ken

 

Comment
Trevor Holyoak
  1. Trevor Holyoak
  2. Friday, 14 May 2021 16:30 PM UTC
OK, I just installed URL Rewrite in IIS and set up a rule to redirect all HTTP requests. I've requested a re-scan, and we'll see what happens.

  1. Helpful
Trevor Holyoak
  1. Trevor Holyoak
  2. Friday, 14 May 2021 19:34 PM UTC
After doing that, it passed the PCI scan, so we're all set now! Thanks!
  1. Helpful
Armeen Mazda @Appeon
  1. Armeen Mazda @Appeon
  2. Friday, 14 May 2021 19:50 PM UTC
Glad to hear your issue is resolved, and thanks for marking the correct answer!
  1. Helpful
There are no comments made yet.
Responses (3)
Trevor Holyoak
Trevor Holyoak Accepted Answer Pending Moderation
  1. Friday, 30 April 2021 17:30 PM UTC
  2. PowerServer 2020 or older (Obsolete)
  3. # 1

We are using Appeon PowerServer 2020 Build 2323.

Our application begins with a login screen (see attached). This apparently sends the login information on port 80, according to the PCI scan results.

If you are going to our application from a browser (which is the behavior the PCI scan would be simulating), an HTTP request is redirected to HTTPS to get things started up.

 

 

Attachments (1)
Screen Shot 04-30-21 at 11.26 AM.PNG Screen Shot 04-30-21 at 11.26 AM.PNG
Comment
Load more comments
Trevor Holyoak
  1. Trevor Holyoak
  2. Thursday, 6 May 2021 14:45 PM UTC
To Armeen - we got a server put together to try the 2021 beta, and are working on getting our app working on it so we can do the test.



To Ken - the guy that is familiar with our setup on our production server is checking to see if there are any settings that we have missed that might be causing the problem.
  1. Helpful
Armeen Mazda @Appeon
  1. Armeen Mazda @Appeon
  2. Thursday, 6 May 2021 14:52 PM UTC
Excellent news. If you run into any issues with PS 2021 beta, please open a support ticket. And after you test with the security tool, please let us know the results of the PCI scan. It should be PCI compliant, so if it is not it is either config issue or a beta bug we need to resolve for the final release. Thanks.
  1. Helpful
Trevor Holyoak
  1. Trevor Holyoak
  2. Wednesday, 19 May 2021 20:35 PM UTC
FYI, our little test project with the PS 2021 beta has stalled because the error list had too many things that would need to be changed on it. We'll get back to it eventually, since our app will need to be migrated at some point, but we've got some other projects that need to be done first.
  1. Helpful
There are no comments made yet.
Ken Guo @Appeon
Ken Guo @Appeon Accepted Answer Pending Moderation
  1. Friday, 30 April 2021 03:01 AM UTC
  2. PowerServer 2020 or older (Obsolete)
  3. # 2

Hi  Trevor,

 

May I ask what version of PowerServer are you using?

 

I’m not sure what you mean by “IWA Login Dialog”. Can you help elaborate? And a screenshot would be the best.

 

Also, could you let me know whether you access your application by directly using HTTPS or by using HTTP then it automatically redirects to HTTPS?

 

Regards,

Ken

 

 

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.