HTML page uses cleartext form-based authentication

 When running a PCI compliance scan, failure occurs with error: 
Title: HTML page uses cleartext form-based authentication (/page.ashx?
linkguid={38C6B8A7-7221-4318-B3A8-5FA0B00202FF}) Impact: Poor
authentication practices may leave the web application vulnerable to
authentication attacks. Data Received: <input name='pin' id='pin'
type='password' style='display:none;' /> Resolution: To use HTML form-based
authentication more securely in web applications, do the following: Remove the
TCP 80 http 4.0
value attribute from the INPUT tag corresponding to the password field.
Submit all forms to an SSL-enabled (https) service using the form&#39;s
action attribute. Place all protected web directories on an SSL-enabled (https)
service. Use the autocomplete=&#34;off&#34; attribute in the INPUT tag
corresponding to the password field. Risk Factor: Medium/ CVSS2 Base
Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
 In order to resolve this error:

1. Enable SSL on all pages
2. Make sure that external links to third party sites are using https://  (Facebook, Twitter, etc)
3. Enable Single Sign On, and verify that FAWeb and NetClassroom URLs are https://  in the Education tab located in Administration > Sites and Settings
4. Verify that the link to NetClassroom/FAWeb is https://

Once all of these are in place, run the PCI scan again.

Environment

 6.51 patch 18

Was this article helpful?