Not logged in.
Scot's Scripts Forum: 107 users, rooms, 87 discussions, 504 messages, and 3 files.
1. 06/27/2010 21:51:37, krsullivan
Not sure how to contact the developer of scots mail, so I figure this is a good place to start.
Scots Mail for Miva. Control Scan (a 3rd party PCI compliance scan company) has been failing two of our websites for Cross Scripting, siting the scotsmail.mvc application. example: www.yourdomain.com/scotmail/scotmail.mvc. We are using the latest version 3.33d. However it continues to fail scans.
Thanks,
Kevin
www.automotiveworkwear.com
www.sullivanuniforms.com
2. 06/27/2010 22:05:27, krsullivan Scots Mail for Miva. Control Scan (a 3rd party PCI compliance scan company) has been failing two of our websites for Cross Scripting, siting the scotsmail.mvc application. example: www.yourdomain.com/scotmail/scotmail.mvc. We are using the latest version 3.33d. However it continues to fail scans.
Thanks,
Kevin
www.automotiveworkwear.com
www.sullivanuniforms.com
#486
Ohs, Sorry, Not cross scripting see the to items below
1)
Autocomplete Enabled for Password Input
Path:/scotmail/scotmail.mvc
Poor authentication practices may leave the web application vulnerable to authentication attacks.
Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This type of authentication is achieved using the HTML INPUT element with the type attribute set to password.
There are several potential vulnerabilities associated with HTML form-based authentication:
•Authentication Credentials Prefilled. The password field is prefilled with a default value, possibly allowing universal access to the application being authenticated.
•Clear-text Form-based Authentication. The password is sent over the network unencrypted when a user submits the login form, thereby allowing an attacker who is capable of sniffing the network to view the password.
•Clear-text HTTP Basic Authentication. The password is sent over the network unencrypted when a user authenticates to a protected web directory, thereby allowing an attacker who is capable of sniffing the network to view the password.
•Autocomplete Enabled. The form allows the browser's autocomplete feature to automatically fill the password field with previously submitted values when a user begins entering a password. This feature could reveal one user's password to another user on the same computer.
Additional information on the INPUT element is in the HTML 4.01 Specification, Section 17.4. For more information on HTTPS, see whatis.com. For more information on the autocomplete feature in HTML, see HTML Code Tutorial.
Solution:
To use HTML form-based authentication more securely in web applications, do the following:
•Remove the value attribute from the INPUT tag corresponding to the password field.
•Submit all forms to an SSL-enabled (https) service using the form's action attribute.
•Place all protected web directories on an SSL-enabled (https) service.
•Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field.
Information from Target:
Service: http
Received:
[input type="password" name="password" value=""] [input type="submit" value="login">
2)
Web Services - 500068 - TCP 80 - Risk 3 HTML Page Uses Cleartext Form-based Authentication
Path:/scotmail/scotmail.mvc
Poor authentication practices may leave the web application vulnerable to authentication attacks.
Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This type of authentication is achieved using the HTML INPUT element with the type attribute set to password.
There are several potential vulnerabilities associated with HTML form-based authentication:
•Authentication Credentials Prefilled. The password field is prefilled with a default value, possibly allowing universal access to the application being authenticated.
•Clear-text Form-based Authentication. The password is sent over the network unencrypted when a user submits the login form, thereby allowing an attacker who is capable of sniffing the network to view the password.
•Clear-text HTTP Basic Authentication The password is sent over the network unencrypted when a user authenticates to a protected web directory, thereby allowing an attacker who is capable of sniffing the network to view the password.
•Autocomplete Enabled. The form allows the browser's autocomplete feature to automatically fill the password field with previously submitted values when a user begins entering a password. This feature could reveal one user's password to another user on the same computer.
Additional information on the INPUT element is in the HTML 4.01 Specification Section 17.4.
For more information on HTTPS, see hwhatis.com.
For more information on the autocomplete feature in HTML, see HTML Code Tutorial.
Solution:
To use HTML form-based authentication more securely in web applications, do the following:
•Remove the value attribute from the INPUT tag corresponding to the password field.
•Submit all forms to an SSL-enabled (https) service using the form's action attribute.
•Place all protected web directories on an SSL-enabled (https) service.
•Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field.
Information from Target:
Service: http
Received:
[input type="password" name="password" value=""] [input type="submit" value="login">
3. 06/28/2010 10:39:44, Scot 1)
Autocomplete Enabled for Password Input
Path:/scotmail/scotmail.mvc
Poor authentication practices may leave the web application vulnerable to authentication attacks.
Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This type of authentication is achieved using the HTML INPUT element with the type attribute set to password.
There are several potential vulnerabilities associated with HTML form-based authentication:
•Authentication Credentials Prefilled. The password field is prefilled with a default value, possibly allowing universal access to the application being authenticated.
•Clear-text Form-based Authentication. The password is sent over the network unencrypted when a user submits the login form, thereby allowing an attacker who is capable of sniffing the network to view the password.
•Clear-text HTTP Basic Authentication. The password is sent over the network unencrypted when a user authenticates to a protected web directory, thereby allowing an attacker who is capable of sniffing the network to view the password.
•Autocomplete Enabled. The form allows the browser's autocomplete feature to automatically fill the password field with previously submitted values when a user begins entering a password. This feature could reveal one user's password to another user on the same computer.
Additional information on the INPUT element is in the HTML 4.01 Specification, Section 17.4. For more information on HTTPS, see whatis.com. For more information on the autocomplete feature in HTML, see HTML Code Tutorial.
Solution:
To use HTML form-based authentication more securely in web applications, do the following:
•Remove the value attribute from the INPUT tag corresponding to the password field.
•Submit all forms to an SSL-enabled (https) service using the form's action attribute.
•Place all protected web directories on an SSL-enabled (https) service.
•Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field.
Information from Target:
Service: http
Received:
[input type="password" name="password" value=""] [input type="submit" value="login">
2)
Web Services - 500068 - TCP 80 - Risk 3 HTML Page Uses Cleartext Form-based Authentication
Path:/scotmail/scotmail.mvc
Poor authentication practices may leave the web application vulnerable to authentication attacks.
Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This type of authentication is achieved using the HTML INPUT element with the type attribute set to password.
There are several potential vulnerabilities associated with HTML form-based authentication:
•Authentication Credentials Prefilled. The password field is prefilled with a default value, possibly allowing universal access to the application being authenticated.
•Clear-text Form-based Authentication. The password is sent over the network unencrypted when a user submits the login form, thereby allowing an attacker who is capable of sniffing the network to view the password.
•Clear-text HTTP Basic Authentication The password is sent over the network unencrypted when a user authenticates to a protected web directory, thereby allowing an attacker who is capable of sniffing the network to view the password.
•Autocomplete Enabled. The form allows the browser's autocomplete feature to automatically fill the password field with previously submitted values when a user begins entering a password. This feature could reveal one user's password to another user on the same computer.
Additional information on the INPUT element is in the HTML 4.01 Specification Section 17.4.
For more information on HTTPS, see hwhatis.com.
For more information on the autocomplete feature in HTML, see HTML Code Tutorial.
Solution:
To use HTML form-based authentication more securely in web applications, do the following:
•Remove the value attribute from the INPUT tag corresponding to the password field.
•Submit all forms to an SSL-enabled (https) service using the form's action attribute.
•Place all protected web directories on an SSL-enabled (https) service.
•Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field.
Information from Target:
Service: http
Received:
[input type="password" name="password" value=""] [input type="submit" value="login">
#487
The only way this could be harmful is if you have a bot on your computer that records your keystrokes.
Other than that, one of the main options above is to use a secure connection which you can do by accessing scotmail.mvc from https instead of http.
Scot
4. 06/29/2010 11:47:57, krsullivan Other than that, one of the main options above is to use a secure connection which you can do by accessing scotmail.mvc from https instead of http.
Scot
#488
Hello Scot, Thank you for the response. I understand what you are telling me. I don't know how to implement it. In a few months, all 3 party scanning companies will be required to scan for this type of condition, so anyone using your application will be in the same boat.
So, what do I need to do in order to get the application to pass a scan. Conrol scan, told me to contact the vendor for a solution or remove the application. What do you recomend or can you give me more detail on the fix. Thanks
Kevin
5. 06/29/2010 11:58:00, Scot So, what do I need to do in order to get the application to pass a scan. Conrol scan, told me to contact the vendor for a solution or remove the application. What do you recomend or can you give me more detail on the fix. Thanks
Kevin
#489
Try using https in the url when you access scotmail.mvc instead of http, sounds like that's the main issue.
The auto-complete "off" suggestions is easily implemented for the next update.
The changing of the password field is also simple enough.
The only reason any of these would be issues is if your system or network connection has been compromised, and if so, you'll experience more problems than someone using your installation of scot's mailing list because they will have access to all of your passwords and login info!
The auto-complete "off" suggestions is easily implemented for the next update.
The changing of the password field is also simple enough.
The only reason any of these would be issues is if your system or network connection has been compromised, and if so, you'll experience more problems than someone using your installation of scot's mailing list because they will have access to all of your passwords and login info!
#490
Scot's Simple Forum, v 1.02 •
copyright © by Scot Ranney • visit ScotsScripts.com for support