PCI Compliance - Plesk 11 Login script failing

[EatEasy]

The Plesk 11 login script is failing PCI compliance.

"The login_up.php3 web application running on this host that transmits login credentials over HTTP, which is a cleartext protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information.

All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such re-direction occurs on the server side of the system (for example via the use of the HTTP "Location" header element) and that re-direction is not reliant upon the client (browser) side."

Is there a fix or workaround?

 

[IgorG]

Have you read it - http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/ ?

 

[RalphP]

Yes I have read and applied all the changes a few months ago and our servers have been compliant since then. This is a brand new finding with our PCI Compliance scanner. I must add that we are based in the UK and this new compliance rewquirement only became active 4 days ago.

 

[Deoxymono]

Did you find out how to fix this? I'm failing on this too.

 

[Deoxymono]

I fixed this issue simply by blocking port 8880 through the Plesk firewall. It seems it is not needed unless you want to use the Plesk panel without https.

 

[RalphP]

PCI Compliance

That worked perfectly, Thank you.