Title: PCI/SecurityMetrics Issue Last modified: August 19, 2016 --- # PCI/SecurityMetrics Issue * [HosaDyna](https://wordpress.org/support/users/hosadyna/) * (@hosadyna) * [15 years, 1 month ago](https://wordpress.org/support/topic/pcisecuritymetrics-issue/) * I just started using WordPress on a website that is required to be PCI compliant because of an installed shopping cart. When SecurityMetrics ran the quarterly scan yesterday the site failed because of an apparent issue with WordPress. * The tech from SecurityMetrics sent me this explanation of how he was able to replicate the failure: * > Our scanner is seeing a URL redirect in place, which I am also able to see. > However, our scanner believes that this is an issue because parts of the URL > that we inject later go into the source code and operate directly on links > on the page. In mydomain.com’s case this is with the “Older Post” link, which > includes parts of the originally requested URL, for example: > If I request [http://mydomain.com/?www.nba.com](http://mydomain.com/?www.nba.com) > then I get the home page. The homepage includes a link to this: > `Older posts « > > For “Older posts”. I can see that this includes parts of my original request, > yet there are compensating controls in place to protect against these attacks, > like the periods were being changed into underscores. On mydomain.com’s behalf > I simply need an explanation of why this wouldn’t be a vulnerability and any > information you can send me to back-up that claim. I’ll use this information > on their behalf to have the issue lowered.” * Now…as far as I can tell this is the way WordPress does its thing. I ran his test on a number of WP sites that I maintain on different hosts and ones that have been updated to the newest version along with a couple that were still running the previous version. * I don’t know very much about PHP and its workings. Is there someone on here that explain to them why this is okay or do I need to stop using WordPress? * For further study, here’s the actual failure message: * > Synopsis : The remote web s erver allows redirects to arbitrary domains . Description: > The remote web server is configured to redirect users using a HTTP 302, 303 > or 307 response. However, the server can redirect to a domain that includes > components included in the original request. A remote attacker could exploit > this by crafting a URL which appears to res olve to the remote s erver, but > redirects to a malicious location. See also : [http://www.owas](http://www.owas) > p.org/index.php/Phis hing [http://www.technicalinfo.net/papers/Phishing.html](http://www.technicalinfo.net/papers/Phishing.html) > Solution: Contact the web server vendor for a fix. Risk Factor: Medium / CVS > S Base Score : 4.3 (CVS S 2#AV:N/AC:M/Au:N/C:N/I:P/A:N) Viewing 1 replies (of 1 total) * Thread Starter [HosaDyna](https://wordpress.org/support/users/hosadyna/) * (@hosadyna) * [15 years, 1 month ago](https://wordpress.org/support/topic/pcisecuritymetrics-issue/#post-1949218) * Whoops. I forgot to make his example of the error not be an active link. Viewing 1 replies (of 1 total) The topic ‘PCI/SecurityMetrics Issue’ is closed to new replies. ## Tags * [pci](https://wordpress.org/support/topic-tag/pci/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 1 reply * 1 participant * Last reply from: [HosaDyna](https://wordpress.org/support/users/hosadyna/) * Last activity: [15 years, 1 month ago](https://wordpress.org/support/topic/pcisecuritymetrics-issue/#post-1949218) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics