One of our clients uses McAfee Secure to monitor their website for vulnerabilities and just recently the Contact Us page on their ASPDotNetStorefront site has started being flagged as having a high severity when it comes to security vulnerabilities. Here is what McAfee has to say about this alleged vulnerability:
The remote host appears to allow sensitive form submission over unencrypted (HTTP) connections. This means that a user’s personal information is sent over the internet in clear text. An attacker may be able to uncover sensitive information such as login names and passwords by sniffing network traffic.
All web pages that transmit Card Holder Data or Personally Identifiable Information (PII).
– Users and/or Administrators login to the web site.
– Registration forms such as user signup pages.
– Updating User and/or Administrators profile pages.
– Updating User and/or Administrators shipping information pages.
– Forgot password reset page.
– Company "Contact Us" pages.
In order to work around this situation, we’ve added the following to the bottom of the driver.aspx.cs file; it was added to the bottom because we need to ensure that the topic1 class has been populated. As an alternative one could compare against the querystring (since ASPDNSF does URL mapping you’ll find the topic name in the querystring as Topic=). Here is our solution:
<span style="color: blue">if </span>(Topic1.TopicName.ToLower() == <span style="color: #a31515">"contact"</span>)
Anyone else have any ideas on how better to address this situation? Has anyone ever had a client complain that their customers didn’t want to use the contact us form because it wasn’t secured via SSL? I mean the only information that is being exposed here is an email address and their name really. If so, let us all know about it and comment using the form below.
At Over The Top and Exhibit A Communications, I've programmed solutions for Google as well as at least one other company that was later acquired by Google.
I've been CTO of an Internet SaaS company and spent my time pretty evenly between guiding the future technical strategy of the company, architecting software solutions for my dev teams, designing and running a data center to service our clients world-wide as well as being a technical evangalist/sales engineer to our media clients large and small.
I've also been Chief Photographer of the Daily Sun/Post newspaper back when it was a 5-day a week daily newspaper.
I also spent a great many years as a beach lifeguardfor the City of San Clemente as well as Jr. Lifeguard instructor and then as it's program coordinator.
Private Pilot with Instrument rating and proud husband of soon to be 25 years (and counting).