Lev Seltzer
asked on
How to correct sgdynamo.exe vulnerability
My client is trying to get PCI compliant, but is failing on the error below:
The host says the problem is in my classic ASP code, but since I never use CGI or sgdynamo.exe, I havent a clue what to look for.
Do you know what I can do to get around this error and get PCI compliant?
Thank you.
Synopsis : The remote host has an application that is affected by an information disclosure vulnerability. Description : The CGI 'sgdynamo.exe' can be tricked into giving the physical path to the remote web root. This information may be useful to an attacker who can use it to make better attacks against the remote server. Solution: None at this time Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/ I:N/A:N) Other references : OSVDB:54010
I am running the site on a windows 2008-based virtual private server, so I can configure the server as required. The file sgdynamo.exe is NOT on the server, and CGI is turned off. The host says the problem is in my classic ASP code, but since I never use CGI or sgdynamo.exe, I havent a clue what to look for.
Do you know what I can do to get around this error and get PCI compliant?
Thank you.
http://osvdb.org/3458
ASKER
This shows me that there is no solution. I already didn't know how to solve it. I was hoping to find a way to solve it!
The vendor has fix for this XSS vulnerability.
Check here and read yourself. Info Here
Check here and read yourself. Info Here
Solution: The vendor has released a fix for versions 5.32T and above (5.32U, 6.1, 7.00). Customers should call their Ecometry Customer Support Rep in order to obtain the fixed code. Customers should reference Job # 181625-01 when requesting the code.the new updated code filters the HTName variable and prevents arbitrary data execution. So your internal information is safe again :)
Basically from the information about the exploit you need to filter thr HTName variable just like any other user-input field and make sure that certain charcters do not get executed.
ASKER
I am using a new VPS. It does not have 'sgdynamo.exe' on it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is there some coding you can provide which would prevent this vulnerability? Would updating the "sgdynamo.exe" script on the server also work...apparently there are different versions. Appreciate any help you can provide. My SecurityMetrics report failed because of this. Everything else I was able to fix.