Failed Trustwave scan
By Sean McElherron on Friday, 11 April 2014
Posted in Technical Issues
Replies 13
Likes 0
Views 1.5K
Votes 0
Hi

Our Trustwave scan has failed, apparently due to issues with Easyblog. I have attached the report which states 'Web Application Transmits Login Credentials Without Encryption'. We have had our blog hacked this week with some rogue postings so this is clearly an issue. Any help much appreciated.
Hello Sean,

Sorry but looking at the report, there's no where that is pin pointing EasyBlog. Can you please advise me on which of the page that is it referring to?
Mark
·
Friday, 11 April 2014 23:38
·
0 Likes
·
0 Votes
·
0 Comments
·
Trustwave only allows "log in" boxes on https pages. You have a log in box somewhere on your site which displays on http pages. You need to force https on those pages.
Jonathan Bond
·
Saturday, 12 April 2014 00:11
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Jonathan,

Sorry but a little confused here. Are you referring to our http://stackideas.com site or are you referring to your site? We don't actually run on https
Mark
·
Saturday, 12 April 2014 02:49
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark

Pages 28-38 of the attachment detail the Easyblog errors. Hi Jonathan, thanks I will take a look at those login issues.
Sean McElherron
·
Saturday, 12 April 2014 04:44
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Sean,

Hm, when accessing the URL that is posted on the pdf, http://www.cannyco.com/canny-company-blog/latest doesn't seem to load up for me. Can you please advise?
Mark
·
Saturday, 12 April 2014 13:58
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark

Sorry - I had unpublished the module to see if it passed the scan. Try now.
Sean McElherron
·
Saturday, 12 April 2014 18:01
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Sean,

I think you can actually ignore this error message because that error message is complaining that you are displaying a login form without using https:// and since you are not rendering your site with https, there's no way to stop them from complaining. There's 2 work around currently,

1. Enable https for your site

2. Turn off the ability to login for EasyBlog's toolbar. You can do so by heading on to Settings > Layout > Toolbar
Mark
·
Sunday, 13 April 2014 00:29
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark

Our site is enabled for https on the shop pages. Because of this we cannot ignore it as without a successful TW scan, we cannot trade online. Will try your 2nd suggestion and see if we pass it, thank you.
Sean McElherron
·
Sunday, 13 April 2014 16:45
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Sean,

Hm, why not turn on https throughout the site? This would definitely solve your issues
Mark
·
Sunday, 13 April 2014 21:24
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark

I can't do this as it causes issues with other components that are not set up for https. The ironic thing is that Easyblog was working fine, passed the last TW scan no problem and now for some reason, it is highlighting the core Joomla issue and also Easyblog.
Sean McElherron
·
Monday, 14 April 2014 15:11
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Sean,

Perhaps you disabled the login form within EasyBlog? I guess you are now hitting errors on Joomla pages probably because there's a login module somewhere on your other pages?
Mark
·
Monday, 14 April 2014 19:09
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark

We tried the 2nd option from above and that has done the trick. We had a TW scan today and passed so thank you very much for your expert help.
Sean McElherron
·
Tuesday, 15 April 2014 00:13
·
0 Likes
·
0 Votes
·
0 Comments
·
You are most welcome Sean
Mark
·
Tuesday, 15 April 2014 03:46
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post