Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

pci compliance scan failing

Posted on 2012-12-20
1
Medium Priority
?
3,470 Views
Last Modified: 2013-01-31
Hi,
We have a pci compliance report that fails with the below message.  OWA is being used from the outside so closing 443 from the outside is not an option.  I saw a patch, but that was already included in sp2 (which they have).  Anyone have any other suggestions that they've come across for a fix to this.   (apart from password protecting logon.aspx---as it would create another level of logging in).   Thanks


TCP Port 443 https
Title: web program allows cross-site scripting in query string
(/Remote/logon.aspx) Impact: A malicious web site could cause arbitrary commands to run on a client through a specially crafted link to the vulnerable server. In some cases, this could result in the compromise of the client's cookies, leading to unauthorized access to web applications. Data
Sent: GET /Remote/logon.aspx?ReturnUrl=%2fRemote%2fDefault.aspx<SCRIPT>a
lert('SecurityMetrics')</SCRIPT> HTTP/1.0 Host: 173.167.103.145 User-Agent:
Mozilla/4.0 Connection: Keep-alive Data Received: ??<form name="logon"
method="post" action="logon.
aspx?ReturnUrl=%2fRemote%2fDefault.aspx<SCRIPT>alert('Security
Metrics')</SCRIPT>" id="logon" autocomplete="off"> Resolution: Cross-site scripting can be fixed either by creating a customized error page which does not display the URI, or by applying one of the following fixes: ocPortal:
[http://ocportal.com/site/news/view/ocportal- security-update.htm] Download the ocPortal Security Release Patch. HP Network Automation: Apply a patch [http://support.openview.hp.com/selfsolve/patches] Network Automation
09.10.02 to resolve the vulnerabilities for HP Network Automation. You need to do: Upgrade to HP Network Automation v9.10 Apply patch 2 or subsequent
(Title: Network Automation 09.10.02, NA_00015) CA Siteminder:
[http://www.ca.com/us/default.aspx] Upgrade to version R6 SP6 CR7 or R12 SP3 CR8. AtMail Open: Upgrade to a version created after 1 Dec. 2011. ASP Fast Forum:Upgrade to a version created after 1 NOV 2005. PHP-Nuke: (11/13/08) [http://phpnuke.org/modules.php?name=Downloads] Upgrade PHP-Nuke to a version higher than 8.1.
FlatNuke:[http://www.flatnuke.org/index.php?mod=Download] Upgrade to FlatNuke version 2.5.7 RSA Security: Upgrade to RSA Security RSA Authentication Agent to a version higher than 5.3 or RSA Security ACE/Agent for Web to a version higher than 5.1.1 when they become available Lotus
Domino: Upgrade to version 5.0.9 when it becomes available. Microsoft ISA
2000: Refer to
[http://www.microsoft.com/technet/security/bulletin/ms01-045.mspx] Microsoft Security Bulletin 01-045. NetWare Web Search: (04/19/02) Apply NetWare 6 Service Pack 1. ColdFusion MX: (06/25/02) Apply the patch referenced in [http://www.adobe.com/devnet/security/security_zone/mpsb02-03.html]
Macromedia Security Bulletin 02-03. Apache Tomcat: (07/12/02) [http://jakarta.apache.org/] Upgrade to version 4.1.4 or higher, and unmap the &#34;invoker&#34; servlet (mapped to /servlet/), which executes anonymous servlet classes that have not been defined in a web.xml file. The entry for this can be found in the /&lt;tomcat- install-dir&gt;/conf/web.xml file. Apache printenv program (12/30/02) Remove the cgi-bin/printenv program. Although this program outputs the text/plain MIME type which shouldn&#39;t be susceptible to cross-site scripting, some browsers do not correctly handle this type and would therefore be vulnerable. Microsoft Content Management Server 2001 (01/23/03) Apply the cumulative patch referenced in [http://www.microsoft.com/technet/security/bulletin/ms03-002.mspx] Microsoft Security Bulletin 03-002, or apply Microsoft Content Management Server 2001 Service Pack 2 if available. WebCalendar (09/22/03) [http://webcalendar.sourceforge.net/] Upgrade to a WebCalendar version newer than 0.9.42. VP-ASP (Shopping Cart) (12/22/03 06/22/04 11/30/05) See the [http://www.vpasp.com/virtprog/info/faq_securityfixes.htm] VP-ASP security fixes. Bitfolge snif (12/22/03) [http://www.bitfolge.de/download/] Upgrade to snif 1.2.7 or later. osCommerce (12/23/03) [http://www.oscommerce.com/solutions/downloads] Upgrade to osCommerce 2.2 milestone 3. IBM Net.Data db2www (02/04/04) Use DTW_DEFAULT_ERROR_MESSAGE feature (or DTW_DEFAULT_MACRO feature on zOS and iServer) to ensure that error messages do not include user input in their response. For example, in the Net.Data configuration file db2www.ini, insert an entry such as:
DTW_DEFAULT_ERROR_MESSAGE This Web Site is experiencing problems. Check back later. ASP Portal (02/27/04) Upgrade your version. phpBB2 (03/24/04) [http://www.phpbb.com/downloads.php] Upgrade to phpBB 2.0.7 or higher. ZWiki
(12/01/04) [http://zwiki.org/repos/ZWiki/releases/] Upgrade to 0.37 or higher when available or 0.37.0rc1, or apply the fix described [http://zwiki.org/925ZwikiXSSVulnerability] here. ht://Dig (02/14/05) [http://www.htdig.org/where.html] Upgrade to higher than 3.2.0b6, or install a fixed package from your operating system vendor. DotNetNuke (05/26/05) [http://dotnetnuke.com/default.aspx?tabid=125] Upgrade to 3.0.12 or higher.
Apache Struts (12/07/05) [http://struts.apache.org/download.cgi] Upgrade to
1.2.8 or higher. phpMyChat (12/09/05)
[http://www.phpheaven.net/phpmychat:home?id_rubrique=29] Upgrade to higher than version 0.14.5 . Cerberus Helpdesk (01/04/06) [http://www.cerberusweb.com/downloads_helpdesk.php] Upgrade to 2.7.0 or higher. Apache Geronimo (01/27/06) [http://geronimo.apache.org/downloads.html] Upgrade to version 1.0.1 or 1.1 when available. Ashnews (02/10/06) [http://dev.ashwebstudio.com/products.php] Upgrade to a version higher than
0.83 when available. QwikiWiki (02/27/06) [http://sourceforge.net/project/showfiles.php?group_id=80406] Upgrade to a version higher than 1.51 when available. vCard (03/23/06) [http://www.belchiorfoundry.com/vcard/index.php] Upgrade to a version higher than 2.9. Contrexx (03/24/06) [http://www.contrexx.com/?section=news&cmd=details&newsid=54] Patch version 1.0.8 or [http://www.contrexx.com/] upgrade to a version higher than
1.0.8 . phpCOIN (04/05/06)
[http://www.phpcoin.com/coin_addons/dload.php?id=108] upgrade to version
1.2.3 . PHPKIT (04/05/06) [http://phpkit.de/include.php?path=content/ne
ws.php&amp;contentid=280&amp;PHPKITSID=90c781f9635d9416058473a6aa735927]
upgrade to 1.6.1 Release 2. phpAdsNew/phpPgAds (04/06/06) upgrade [http://phpadsnew.com/two/index.html] phpAdsNew or [http://www.phppgads.com/one/index.html] phpPgAds to version 2.0.8. Confixx
(04/23/06) [http://www.swsoft.com/de/products/confixx/] Upgrade to a version higher than 3.1.2 when available. phpLDAPadmin (05/01/06) [http://phpldapadmin.sourceforge.net/download.php] Upgrade to version
0.9.8.2 or higher. Boardsolution (05/02/06) [http://www.script- solution.de/] Upgrade to version 1.13 or higher. Pivot (07/24/06) [http://www.pivotlog.net/] Upgrade to version 1.30 Final or higher. XOOPS
(10/14/11) [http://www.xoops.org/modules/core/] Upgrade to 2.5.3. XOOPS packs (11/17/06) Upgrade [http://www.xoops.org/modules/core/visit.php?cid=9&lid=98]
CommunityPack,
[http://www.xoops.org/modules/core/visit.php?cid=9&lid=101]
PersonalPack, and
[http://www.xoops.org/modules/core/visit.php?cid=9&lid=100] IntranetPack to a version higher than 1.0 or fix as [http://worldphantom
.org/foro/index.php?PHPSESS=475e274a8eeb5ffa159e890b2a9cae64&amp;topic=4
17.new] described. cPanel (01/11/10)
[http://www.cpanel.net/support/downloads/downloads.htm] Upgrade to version
11.25 or higher. OsTicket (01/02/07) [http://www.osticket.com/downloads.php]
Upgrade to 2.0 when available. PHP iCalendar (01/04/07) [http://sourceforge.net/project/showfiles.php?g
roup_id=62270&amp;package_id=58811] Upgrade to version 2.23 or later when available. Citrix MetaFrame (03/07/08) Apply a fix as described in [http://support.citrix.com/article/CTX101996] Document ID CTX101996. Campus Bulletin Board (05/29/08) [http://netlab.kh.edu.tw/download/index.htm]
Upgrade to a version higher than 3.4 when available. Apache Roller
(01/27/09) Apply the fix described in
[https://svn.apache.org/viewvc?view=rev&revision=668737] Revision 668737. MercuryBoard (02/04/10) [http://www.mercuryboard.com/index.php?a=downloads] Upgrade to a version higher than 1.1.5 when available. Cisco Secure Desktop (02/12/10) [http:
//tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=280277835] Upgrade to version 3.5.841 or higher when available. Cisco Collaboration Server
(03/04/10) [http://tools.cisco.com/support/downloads/pub/Redirect
.x?mdfid=268439684] Upgrade to version higher than 5 when available. RSA SecurID (03/04/10) Upgrade to version higher than 6.1 when available.
Juniper IVE (08/16/10) Ensure that the firewall&#39;s management interface is disabled on the Internet connected interface, by disabling WeBUI within service options on the Internet connected interface. GuestBook Script
(07/11/12) [http://www.guestbookscripts.com/index.php] Upgrade to a version higher than 1.5 when available. Web@All (07/19/12) [http://webatall.org/] Updates are available. Please see Web@All homepage for more information.
X-Cart (08/01/2012) [http://www.x-cart.com/] Upgrade to version higher than
4.5.1 when available. Greenstone (11/29/12) [http://www.greenstone.org/download] Upgrade to version higher than 2.85 when available. All other products: Retrieve an upgrade or a patch from the vendor. See the posting to [http://www.securityfocus.com/archive/1/194464]
Bugtraq for information about specific types of web servers. See references below. If a fix is unavailable, then work around the problem by creating a customized error page. Risk Factor: Medium/ CVSS2 Base Score: 4.0
(AV:N/AC:H/Au:N/C:P/I:N/A:N) [Less]
0
Comment
Question by:seven45
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 22

Accepted Solution

by:
mcsween earned 2000 total points
ID: 38710121
Have a look at this article from Microsoft.  If you display a custom error page then you won't have this issue.

http://msdn.microsoft.com/en-us/library/994a1482(v=vs.100).aspx
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question