Password Protected Pages Doesn't Pass Security

[LoK]

I have developed a website for a customer that takes credit card transactions over their site using a secure shopping cart program. They also use within their site, a password protected page which only their "dealers" may access using a password they get by calling my customer first. That's all working fine; however, my customer is being charged extra by the credit card company they use because this password protected page is failing a security scan.

This is the result of the security scan: "The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext." The password protected page has nothing to do with credit card information being input. It's just to access a different webpage not everyone should see.

My question is: How do we get around this security issue yet keep the password protected page?

Thanks. Any help is appreciated.

[wige]

Web authentication is very insecure. Because passwords are transmitted in plain text, they can be snooped by an attacker. You have two options, depending on the requirements of the scanning company, and the information being protected.

If the information that is protected is not actually sensitive, and the password is generally known, you can ask the security scanning company to make an exception on the basis that you are using authentication only as a simple authentication measure and it is not protecting anything sensitive.

If you are protecting sensitive information, or if the security scan provider does not allow for the exception, you would have to move the authentication script (the destination of the username/password form) to your secure server. In most configurations, this simply requires changing the url of the form's action attribute from http to https. In some cases, however, you might need to modify the script slightly.

[danlefree]

action=HTTP - Clear-text transmission allows anyone on any intermediary network to read all content transmitted between the client and the host.

action=HTTPS - Clear-text does not exist - all transmissions are encrypted while in transit.

There should not be any issue with the login form if you are posting the results over SSL.