PCI Compliance scan failure

(3 posts) (2 voices)

Tags:

No tags yet.

  1. labber, Member

    Hello,

    We're running your software in a PCI Compliant environment that gets scanned every month for vulnerabilities. Our latest scan shows a vulnerability with the password field on the login page of myDBR. Below is the report.

    The Web form contains passwords or other sensitive text fields for which the
    browser auto-complete feature is enabled. Auto-complete stores completed form
    field and passwords locally in the browser, so that these fields are filled
    automatically when the user visits the site again.

    Sensitive data and passwords can be stolen if the user's system is
    compromised.

    Note, however, that form auto-complete is a non-standard, browser-side feature
    that each browser handles differently. Opera, for example, disregards the
    feature, requiring the user to enter credentials for each Web site visit.

    Evidence:

    Form with action https://xx.xxx.xxx.xxx/index.php?a=login does not explicitly
    disable autocomplete for the following sensitive fields: password

    Status: vulnerable-exploited

    Any chance you could fix this for us so we can pass our test?

  2. myDBR Team, Key Master

    Hi,
    this option has beed added into the latest build. Run the updater and add follwing setting into user/defaults.php:

    $mydbr_defaults['login']['autocomplete'] = 'off';

    --
    myDBR Team

  3. labber, Member

    That fixed it. Thanks for resolving it so fast!


Reply

You must log in to post.