Recently a PCI scan was run against a web server and the result was a failure. Some of the issues could be fixed, however others simply make no sense to me.
The machine was a clean install, there are only two things running, the .NET 3.5 website and the dotDefender web application firewall.
However there are several errors similar to:
Web server vulnerability Impact: /servlet/SessionServlet: JRun or
Netware WebSphere default servlet found. All default code should be
removed from servers. Risk Factor: Medium/ CVSS2 Base Score:
6.4 CVE: CVE-2000-0539
I'm not sure what this is, but I can't find anything on the server that looks anything like this.
Web server vulnerability Impact: /some.php?=PHPE9568F35-
D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive
information via certain HTTP requests that contain specific QUERY
strings. Risk Factor: Medium/ CVSS2 Base Score: 5.0
PHP is not installed. Trying to add that query string to any page does nothing because the application ignores it. And doing that phpVersion check results in a 404. Similar to this, there are dozens of errors related to JSP and Oracle that are also not installed.
Web server vulnerability Impact: /admin/database/wwForum.mdb: Web Wiz
Forums pre 7.5 is vulnerable to Cross-Site Scripting attacks. Default
login/pass is Administrator/letmein Risk Factor: Medium/ CVSS2 Base
Score: 4.0
There are several errors like this, telling me that Web Wiz Forums, Alan Ward A-Cart 2.0, IlohaMail, etc. are all vulnerable. These are not installed or referenced anywhere I can find.
There are even references to pages that simply don't exist, like OpenAutoClassifieds.
Can anyone point me in the right direction as to why these errors are showing up or where I might look to find these components if they are in fact installed?
Note: This website and server are for a subdomain of the main website. The main website runs on a server that is running Apache/PHP, but I don't have access to that server. The report says the subdomain was the site being scanned, but is it possible for it to have scanned the main site as well?
Answer
Short answer: It wouldn't.
Long answer: One of three things has happened:
Your auditor scanned the wrong machine, like @HopelessN00b said.
(this is the most likely scenario - You say the PCI site is a subdomain and the site above it is on an Apache/PHP site so it's entirely possible that they scanned that site and found the vulnerabilities they listed)Your machine got compromised in a right quick hurry.
(Yeah, this happens too -- Though if you've checked the machine and found the audit results invalid I think we can rule it out.)Your Security Auditor is an Idiot
(Don't hire that guy!)
Since #1 is the most likely based on what you've told us, find out which machine (hostname and IP address) the auditor scanned, confirm it's the right machine, and if it's not have the scan re-done.
Also check those vulnerabilities against the main server yourself (and if they are indeed valid make the responsible parties fix them). Those are relatively serious problems, and even though there may (and in fact by PCI standards must) be separation between the cardholder data equipment and your other sites you will continue to raise red flags on your audit if you don't resolve them.
(If your main site is on a shared hosting provider that is running all of those things you may want to consider moving it to a dedicated box or VPS for your own peace of mind.)
No comments:
Post a Comment