+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / PCI compliance is finding blogs.svc, but it doesn't exist

PCI compliance is finding blogs.svc, but it doesn't exist

2 posts, 0 answered
  1. Mandie
    Mandie avatar
    1 posts
    Registered:
    28 Mar 2013
    08 Aug 2014
    Link to this post

    We had a PCI compliance scan, and it comes back with an item that states "Web application Transmits Login Credentials Without Encryption". The evidence is "http://ipaddress/Sitefinity/Services/Atompub/Blogs.svc".

     This file does not exist on the server. I do not see it listed in the csproj file on the server.

     If I go to the URL, then I will get username/password prompt, but only if I use HTTP. If I use local admin credentials it will pass them through, but will go to a 404 error.

     Any ideas on where the PCI scan is getting this Blogs.svc page?

  2. Sabrie Nedzhip
    Sabrie Nedzhip avatar
    534 posts
    Registered:
    08 Dec 2016
    13 Aug 2014
    Link to this post
    Hello Mandie,

    I believe I have answered your question in the support ticket you have opened. I am pasting the reply here for your convenience:

    According to the information you have provided, it seems that you experience the issue when you browse a page where you have published the blog posts widget. In the <head> section of the pages where the blog posts are published we add the Sitefinity/Services/Atompub/Blogs.svc service as a reference so that we can use it to publish and edit blog posts from external applications like Live Writer. Please refer to the screenshot. However, this service should not cause any issues. In addition, when this page is opened under https:// the link to the service is properly generated under https:// as well.

    As I have also noted in the support ticket, we have a bug logged in our system that this link to the atompub service should not be added if you have not allowed Live Writer blogging. Here is the link to the feedback portal where you can track the progress of the bug.

    Our developers are currently working on fixing this issue and to remove the reference to the atompub service if the Windows Live Writer is not configured. The fix will probably be included in the latest internal build which might be released this Friday. So what I can suggest is to upgrade to the latest internal build once it is released following the instruction in our upgrade documentation.

    Regards,
    Sabrie Nedzhip
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
2 posts, 0 answered