How to secure the Tell A Friend form

Some customers have reported that McAfee Secure is considering the fact that the “Tell A Friend” form is not secure a vulnerability. We disagree in that the form does not pass any confidential information to the form handler. McAfee Secure considers the e-mail address to be confidential information, thus the issue.

The following solution is only applicable to stores that have a dedicated SSL certificate.

The solution consists of automatically loading the page on the HTTPS protocol, so that information is transmitted in an encrypted format between the browser and the Web server. HTTPS can be forced by using the code mentioned below.

• Download the file “tellafriend.asp” from the “pc” folder
• Make a back-up copy
• Open it with Notepad or your favorite HTML editor
• Locate the opening ASP tag at the top of the file:

  <%

• Place the following code immediately after it.

  If (Request.ServerVariables("HTTPS") = "off") Then
      Dim xredir__, xqstr__
      xredir__ = "https://" & Request.ServerVariables("SERVER_NAME") & _
                 Request.ServerVariables("SCRIPT_NAME")
      xqstr__ = Request.ServerVariables("QUERY_STRING")
      if xqstr__ <> "" Then xredir__ = xredir__ & "?" & xqstr__
      Response.redirect xredir__
  End if

• So the top of “tellafriend.asp” will look like this:

  <%
  If (Request.ServerVariables("HTTPS") = "off") Then
      Dim xredir__, xqstr__
      xredir__ = "https://" & Request.ServerVariables("SERVER_NAME") & _
                 Request.ServerVariables("SCRIPT_NAME")
      xqstr__ = Request.ServerVariables("QUERY_STRING")
      if xqstr__ <> "" Then xredir__ = xredir__ & "?" & xqstr__
      Response.redirect xredir__
  End if

• Save the file and upload it back to the “pc” folder

This should make the vulnerability disappear.