Posted 1 year ago #
Anyone else have trouble passing PCI scans with the latest WP install? SecurityMetrics is holding us hostage.
Their scan reports that WP is prone to SQL injection, and HTTP splitting attacks. Personally I think it's BS, WP is pretty solid, but at this point it's either I have a store (which is completely separate) or WP. Anything I can do to get around this crap?
Their scan reports that WP is prone to SQL injection, and HTTP splitting attacks.
It has fallen victim to such attacks in the past, but there are no known security vulnerabilities in the current version (3.0.1).
Failing WP because it's prone to such attacks would be like me keeping you out of my home because you're prone to catching the cold. After all, you could catch the cold at any moment, and I wouldn't want to get sick over a chance like that.
I'm new to the whole PCI scanning scene, but perhaps you could have a different company perform the scan?
Posted 1 year ago #
Yeah, I think it's the scan company. My client's pretty much stuck with them (their merchant provider supposedly insists on it). It's annoying, I could just pull the blog to pass the scan and drop it back in after, but I don't want to mess around with their PCI compliance.
It's a standard install (no plugins, weird configs etc) but I do have a custom theme for them (no core file changes). I just want to make sure there's nothing I did to trip these alerts.
Try disabling all plugins, switch to the Twenty Ten theme, then run the scan again. If you see the same results, they must have a beef with the WordPress core, and there's really nothing you can do about that.
Posted 1 year ago #
Just had the same issue, same company. It's actually saying the solution is to upgrade to 1.2.2. We'll we're at 3.0.1 so we're a little past that! I might drop them an email directly to see if it's an error on their part.
Posted 1 year ago #
Just to update for anyone who stumbles across this post. Contacted SecurityMetrics and they confirmed it's a problem on their part, not down to WordPress 3.0.1 and that they'd clear it manually for us.
Posted 1 year ago #
refinedinternet, strange that as I am having the exact same problem as you, called them today and they said I need to contact WordPress about the issue.
Will call again on Monday and point them to your post.
Posted 1 year ago #
I had to contact SecurityMetrics, but after they manually checked, they cleared it for me. Looks like most of these automated scans don't correctly identify the WP install. Though I admit, it's better that it incorrectly fail, than incorrectly pass.
Posted 1 year ago #
Sorted the last of the issues yesterday and got back to them, had an email saying they'll manually remove the error and confirm when its done.
@alienincognito completely agree, problem I've encountered is lack of consistency between scans, I ran 5 scans over a period of 4 days and each one came back with a different score despite no further work done on the server - strange to say the least. For now we'll get a pass, but I'm fully expecting a fail when the next automated scan passes by either because they've updated their threat database again (which can only be a good thing!) or because of the inconsistencies so far.
This topic has been closed to new replies.
