Hello all,
I have developed a site using Drupal 5 and now the customer is saying that securitymetrics.com states our site is not in compliance with their security standards (visa, mastercard).
I am interested in how I can correct these items and get them in compliance. Can anyone help? Any help is greatly appreciated.
Here is the report they sent.
__________________________________________________________________________________________________
Protocol: TCP Port: 80 Program: http Risk: 5
Summary: The forms on the website that currently contain USER ID and PASSWORD fields need to be transmitted over HTTPS, instead of HTTP.
Synopsis : The remote web server might transmit credentials over clear text
Description : The remote web server contains several HTML forms containing an input of type 'password' which transmit their information to a remote web server over plain text. An attacker eavesdropping the traffic might use this setup to obtain logins and passwords of valid users.
Solution: Make sure that every form transmits its results over HTTPS.
Risk Factor: Medium
===============================================================================================================================
Protocol: TCP Port: 21 Program: ftp Risk: 3
Summary:
Synopsis : The remote FTP server allows credentials to be transmitted in clear text.
Description : The remote FTP does not encrypt its data and control connections. The user name and password are transmitted in clear text and may be intercepted by a network sniffer, or a man-in-the-middle attack.
Solution: Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server such as data and control connections must be encrypted.
Risk Factor: Low
