Failing PCI Compliance - please help!
Hi there, I"m having an issue I'm hoping you can help me with. Using EE 3.5.15 and Low Search 5.2.0.
We are failing PCI compliance and it has to do with Low Search. Attached is the error.
In testing your website, we entered a very long string (URL encoded script) to your website's search parameter. The web server returned a page containing detailed information regarding the contents of your SQL database. The error message was a result of a caught exception. Error messages to the client should be very basic, and not include detailed error information. Please disable detailed error messages to the client and only display generic error messages. Please sanitize all input fields and rescan.
Can anyone help me get this cleaned up? thanks
Replies
Low 18 Apr 2019 17:33
This is partially because you have error reporting (or debugging) turned on on your production server, which usually isn't recommended. See https://docs.expressionengine.com/lat... -- but it also may be turned on in your config or main index.php file. I suggest turning that off to avoid error messages like this to be displayed to the public.
Furthermore, you can try and add a maxlength="150" to the keywords input field, which will prevent most people from entering more than 150 characters into a search field.
You can also try and apply this SO answer, which will prevent the error from happening at all.
I will also look into truncating the keywords when logging them for a later version.
Lisa 18 Apr 2019 17:39
Debugging is turned off and also set to 0 in the config and index files.
Trying the keyword input limit. Thanks for the help.