Re: NIVO slider accessibility issues
Quote:
Originally Posted by
dbltoe
Just a little FYI. If a file is renamed using old or bak, it may still be run by the system AND, any *.bak files on a server are a direct PCI violation.
please point us to where on the PCIDSS website we can see that any .bak files are a violation of PCI. i have never seen that, and i would like to...
Quote:
Originally Posted by
dbltoe
...I can easily find what I did by searching for *.bst.:P
Yes, it's a valid file extension but requires a special viewer to open on line.
this is really not correct. text files can be opened by a text editor, no matter their extension. renaming a file's extension does not automatically make the file a valid version of said extension.
keeping backup files on a web server is not a good idea. one must ensure that the web serving software (ie apache) is probably configured to not serve up those files. else anyone can see them if they know where to look.
Re: NIVO slider accessibility issues
It's been years since we had this come up in a PCI scan. I added it to lat9's override cheatsheet in 2013 Can't find the link as I didn't have it bookmarked.
As you pointed out, a lot of files can be opened in a standard file editor. When you have something like the configure.php temporarily set to 644 for remote editing or FTP, a configure.bak could be left behind with all the database connection information a hacker would need.
If a mod is downloaded, extracted, edited and then uploaded from your computer; it will often have a .bak in the mix. Even the commercial items like UlteraEdit that I use will leave a .bak. I have even seen them in the zip of older mods. If we edit any mod files, we do a file search for *.bak prior to FTP just to make sure none get transferred.
We used to have a cron for weekly eradication of .bak files but they are so few and far between that we just use cPanel after any significant work is done on a site.
BTW I used the example of .bst because it does take a text editor with extra features to open. https://fileinfo.com/extension/bst
Re: NIVO slider accessibility issues
i really do not want to get into another pissing match....
just because the information is on your cheat-sheet does not make it true.
having a file called confidential.bak on your server, that simply has the text 'everything is good' does not put you in violation of PCI. in fact, depending on what payment modules you have enabled, your website may not even be in scope.
current trends in PCI compliance refer to reducing scope. the smaller the scope, the less items one needs to worry about being in compliance.
there is a reason to have websites under version control. just because you are using a commercial piece of software does necessarily mean it is better. it only means you paid for it.
i am frequently reminded of the phrase: "it's a bad craftsman who blames his tools."
having file fragments that are not blocked from being served up by your web site is not a good idea. i would not keep any old files up on a server in a directory that apache serves up.
finally, if you are running anything less than php 7.4, and your website is in scope, you are in violation of PCI.
Re: NIVO slider accessibility issues
Quote:
Originally Posted by
carlwhat
i really do not want to get into another pissing match....
Then why are you always the "yeah, but" guy?
