security matrics show that my site is not compliant with PCI


This is old issue, it bothers me since the cost of credit card process is very high due to in-compliance with PCI. A security check perfomed by Security matics ( One major issue is the following:

Synopsis : The remote web server might transmit credentials in cleartext. Description : The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users. Solution: Make sure that every sensitive form transmits content over HTTPS. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Other references : CWE:522, CWE:523, CWE:718, CWE:724

Does anyone know how to fix it ? I am using CS1.35, host is hostmonster.

Thanks in Advance.


Your problem is two-fold.

One, you are using CS-Cart 1.3.5x which hasn't kept up in terms of PCI compliance. If I recall it correctly, PCI compliance became an issue for 2.0.x version and from that point was actively developed against by CS-Cart.

Two, you are using HostMonster which won't leave you with enough resources to run a software firewall and appropriate security enhancements which in most cases can 'push' sites through the PCI scanning measures. example: encrypted cookies

Thanks, if I upgrade to cs-cart 2.xx, the problem will go away ?

[quote name='yjiang' timestamp='1336490946' post='136067']

Thanks, if I upgrade to cs-cart 2.xx, the problem will go away ?


You are still hosted with HostMonster, you'll require their assistance in plugging all security holes and more than likely pay them a tidy sum to do this for you.

Short answer: no.