rocaholic Posted April 15, 2011 Share Posted April 15, 2011 Hi everyone, I'm using a quarterly PCI compliance scan by securitymetrics(dot)com I have to risks rated as 5, but they have the same error. "Synopsis : The remote web server contains a PHP script that is prone to an information disclosure attack. Description : Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed php and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation. Solution: Remove the affected file(s). Risk Factor: Medium" I found a file named phpinfo.php in my public_html folder and it's contact is only: <?php phpinfo(); ?> Is it safe to delete this so I can pass my scan? And another thing, I hired a few freelancers to help me set up the site as I know nothing about programming. I understand that PCI compliance is a rough area but wanted to see your input on how customers process my orders. I use inmotionhosting business hosting. My site uses GoDaddy SSL and for my payments, I use the Authorize.net AIM module, I believe. Customers add items, checkout, fill out all the CC information on my site. Money has been going into my bank account. I was wondering if this is safe because I don't see full credit card numbers, except the last 4 (XXXXXXXXXXXX1111) and the expiration date, and I think the billing address as well. Thank you!!! Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 15, 2011 Share Posted April 15, 2011 Yes to both questions. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
MrPhil Posted April 17, 2011 Share Posted April 17, 2011 That "phpinfo.php" file was not put there by osCommerce. Either you had a developer/installer (your "freelancer") who was very sloppy about security and failed to name it something obscure and remove it when done, or a hacker left it there. Possibly your freelancer deliberately left it in there as a future hack enabler. Any way is not good, and it should be removed (or at least, the name changed to something unguessable). What does this have to do with E-commerce Laws? It belongs in Security under the appropriate product. Link to comment Share on other sites More sharing options...
rocaholic Posted April 19, 2011 Author Share Posted April 19, 2011 What does this have to do with E-commerce Laws? It belongs in Security under the appropriate product. "Is it safe to delete this so I can pass my scan? And another thing, I hired a few freelancers to help me set up the site as I know nothing about programming. I understand that PCI compliance is a rough area but wanted to see your input on how customers process my orders. I use inmotionhosting business hosting. My site uses GoDaddy SSL and for my payments, I use the Authorize.net AIM module, I believe. Customers add items, checkout, fill out all the CC information on my site. Money has been going into my bank account. I was wondering if this is safe because I don't see full credit card numbers, except the last 4 (XXXXXXXXXXXX1111) and the expiration date, and I think the billing address as well. Thank you!!! " Because I was wondering if this is "PCI-DSS" compliant. Thank you both for your responses. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.