Our site www.viart.com site is operated by latest Viart Shop 5 with default Clear design
Topic Information
on2dvd
on2dvd
I am considering going for the McAfee Secured certification (formerly Hacker Safe).
 
Does anybody have this already or know if Viart shops would pass?
 
alien73 (Guest)
alien73 (Guest)
you can put this could in your .htaccess file.... hacker safe passes every time for over a year
 
Options +FollowSymLinks
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error_report.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
 
on2dvd
on2dvd
Hi
 
I am more worried about the real benefits than trying to trick the scans- would Viart actually pass?
 
alien73 (Guest)
alien73 (Guest)
It's not a trick just smart for any website.
 
on2dvd
on2dvd
Thanks for your post. I am just unsure what exactly this code does.
 
alien73 (Guest)
alien73 (Guest)
It checks XSS for cross site scripting and logs them to a file.
 
alien73 (Guest)
alien73 (Guest)
or I meant to say to stop hackers from cross site scripting..
 
You can secure a site simply by using .htaccess to disallow just about anything...
 
 
Example
 
 
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$">
deny from all
</FilesMatch>
 
on2dvd
on2dvd
Thanks for that information. I'd still like the customer to see the secure tag.
 
on2dvd
on2dvd
I have passed HackerSafe, however.
 
From the first report I thought I should mention this.
 
Unencrypted Login Information Disclosure
Severity Protocol Category
Low HTTP Web Application
Devices Fix Difficulty Impact
1 Medium Information Disclosure
Description
The remote host appears to allow logins over unencrypted (HTTP) connections. This means that a user's login information is sent over the
internet in clear text. An attacker may be able to uncover login names and passwords by sniffing network traffic.
Solution
Plain-text protocols should never by used to transmit sensitive information over the Internet. When passing login information to the web
server, use HTTPS (SSLv3, TLS 1) instead of HTTP
 
 
So from this I have removed all user login blocks from the site- meaning everyone must go to the https page to login.