seven45
asked on
pci compliance scan failing
Hi,
We have a pci compliance report that fails with the below message. OWA is being used from the outside so closing 443 from the outside is not an option. I saw a patch, but that was already included in sp2 (which they have). Anyone have any other suggestions that they've come across for a fix to this. (apart from password protecting logon.aspx---as it would create another level of logging in). Thanks
TCP Port 443 https
Title: web program allows cross-site scripting in query string
(/Remote/logon.aspx) Impact: A malicious web site could cause arbitrary commands to run on a client through a specially crafted link to the vulnerable server. In some cases, this could result in the compromise of the client's cookies, leading to unauthorized access to web applications. Data
Sent: GET /Remote/logon.aspx?ReturnU
lert('SecurityMetrics')</S
Mozilla/4.0 Connection: Keep-alive Data Received: ??<form name="logon"
method="post" action="logon.
aspx?ReturnUrl=%2fRemote%2
Metrics')</SCRIPT>" id="logon" autocomplete="off"> Resolution: Cross-site scripting can be fixed either by creating a customized error page which does not display the URI, or by applying one of the following fixes: ocPortal:
[http://ocportal.com/site/news/view/ocportal- security-update.htm] Download the ocPortal Security Release Patch. HP Network Automation: Apply a patch [http://support.openview.hp.com/selfsolve/patches] Network Automation
09.10.02 to resolve the vulnerabilities for HP Network Automation. You need to do: Upgrade to HP Network Automation v9.10 Apply patch 2 or subsequent
(Title: Network Automation 09.10.02, NA_00015) CA Siteminder:
[http://www.ca.com/us/default.aspx] Upgrade to version R6 SP6 CR7 or R12 SP3 CR8. AtMail Open: Upgrade to a version created after 1 Dec. 2011. ASP Fast Forum:Upgrade to a version created after 1 NOV 2005. PHP-Nuke: (11/13/08) [http://phpnuke.org/modules.php?name=Downloads] Upgrade PHP-Nuke to a version higher than 8.1.
FlatNuke:[http://www.flatnuke.org/index.php?mod=Download] Upgrade to FlatNuke version 2.5.7 RSA Security: Upgrade to RSA Security RSA Authentication Agent to a version higher than 5.3 or RSA Security ACE/Agent for Web to a version higher than 5.1.1 when they become available Lotus
Domino: Upgrade to version 5.0.9 when it becomes available. Microsoft ISA
2000: Refer to
[http://www.microsoft.com/technet/security/bulletin/ms01-045.mspx] Microsoft Security Bulletin 01-045. NetWare Web Search: (04/19/02) Apply NetWare 6 Service Pack 1. ColdFusion MX: (06/25/02) Apply the patch referenced in [http://www.adobe.com/devnet/security/security_zone/mpsb02-03.html]
Macromedia Security Bulletin 02-03. Apache Tomcat: (07/12/02) [http://jakarta.apache.org/] Upgrade to version 4.1.4 or higher, and unmap the "invoker" servlet (mapped to /servlet/), which executes anonymous servlet classes that have not been defined in a web.xml file. The entry for this can be found in the /<tomcat- install-dir>/conf/web.x
DTW_DEFAULT_ERROR_MESSAGE This Web Site is experiencing problems. Check back later. ASP Portal (02/27/04) Upgrade your version. phpBB2 (03/24/04) [http://www.phpbb.com/downloads.php] Upgrade to phpBB 2.0.7 or higher. ZWiki
(12/01/04) [http://zwiki.org/repos/ZWiki/releases/] Upgrade to 0.37 or higher when available or 0.37.0rc1, or apply the fix described [http://zwiki.org/925ZwikiXSSVulnerability] here. ht://Dig (02/14/05) [http://www.htdig.org/where.html] Upgrade to higher than 3.2.0b6, or install a fixed package from your operating system vendor. DotNetNuke (05/26/05) [http://dotnetnuke.com/default.aspx?tabid=125] Upgrade to 3.0.12 or higher.
Apache Struts (12/07/05) [http://struts.apache.org/download.cgi] Upgrade to
1.2.8 or higher. phpMyChat (12/09/05)
[http://www.phpheaven.net/phpmychat:home?id_rubrique=29] Upgrade to higher than version 0.14.5 . Cerberus Helpdesk (01/04/06) [http://www.cerberusweb.com/downloads_helpdesk.php] Upgrade to 2.7.0 or higher. Apache Geronimo (01/27/06) [http://geronimo.apache.org/downloads.html] Upgrade to version 1.0.1 or 1.1 when available. Ashnews (02/10/06) [http://dev.ashwebstudio.com/products.php] Upgrade to a version higher than
0.83 when available. QwikiWiki (02/27/06) [http://sourceforge.net/project/showfiles.php?group_id=80406] Upgrade to a version higher than 1.51 when available. vCard (03/23/06) [http://www.belchiorfoundry.com/vcard/index.php] Upgrade to a version higher than 2.9. Contrexx (03/24/06) [http://www.contrexx.com/?section=news&cmd=details&newsid=54] Patch version 1.0.8 or [http://www.contrexx.com/] upgrade to a version higher than
1.0.8 . phpCOIN (04/05/06)
[http://www.phpcoin.com/coin_addons/dload.php?id=108] upgrade to version
1.2.3 . PHPKIT (04/05/06) [http://phpkit.de/include.php?path=content/ne
ws.php&contentid=280&a
upgrade to 1.6.1 Release 2. phpAdsNew/phpPgAds (04/06/06) upgrade [http://phpadsnew.com/two/index.html] phpAdsNew or [http://www.phppgads.com/one/index.html] phpPgAds to version 2.0.8. Confixx
(04/23/06) [http://www.swsoft.com/de/products/confixx/] Upgrade to a version higher than 3.1.2 when available. phpLDAPadmin (05/01/06) [http://phpldapadmin.sourceforge.net/download.php] Upgrade to version
0.9.8.2 or higher. Boardsolution (05/02/06) [http://www.script- solution.de/] Upgrade to version 1.13 or higher. Pivot (07/24/06) [http://www.pivotlog.net/] Upgrade to version 1.30 Final or higher. XOOPS
(10/14/11) [http://www.xoops.org/modules/core/] Upgrade to 2.5.3. XOOPS packs (11/17/06) Upgrade [http://www.xoops.org/modules/core/visit.php?cid=9&lid=98]
CommunityPack,
[http://www.xoops.org/modules/core/visit.php?cid=9&lid=101]
PersonalPack, and
[http://www.xoops.org/modules/core/visit.php?cid=9&lid=100] IntranetPack to a version higher than 1.0 or fix as [http://worldphantom
.org/foro/index.php?PHPSES
17.new] described. cPanel (01/11/10)
[http://www.cpanel.net/support/downloads/downloads.htm] Upgrade to version
11.25 or higher. OsTicket (01/02/07) [http://www.osticket.com/downloads.php]
Upgrade to 2.0 when available. PHP iCalendar (01/04/07) [http://sourceforge.net/project/showfiles.php?g
roup_id=62270&package_
Upgrade to a version higher than 3.4 when available. Apache Roller
(01/27/09) Apply the fix described in
[https://svn.apache.org/viewvc?view=rev&revision=668737] Revision 668737. MercuryBoard (02/04/10) [http://www.mercuryboard.com/index.php?a=downloads] Upgrade to a version higher than 1.1.5 when available. Cisco Secure Desktop (02/12/10) [http:
//tools.cisco.com/support/
(03/04/10) [http://tools.cisco.com/support/downloads/pub/Redirect
.x?mdfid=268439684] Upgrade to version higher than 5 when available. RSA SecurID (03/04/10) Upgrade to version higher than 6.1 when available.
Juniper IVE (08/16/10) Ensure that the firewall's management interface is disabled on the Internet connected interface, by disabling WeBUI within service options on the Internet connected interface. GuestBook Script
(07/11/12) [http://www.guestbookscripts.com/index.php] Upgrade to a version higher than 1.5 when available. Web@All (07/19/12) [http://webatall.org/] Updates are available. Please see Web@All homepage for more information.
X-Cart (08/01/2012) [http://www.x-cart.com/] Upgrade to version higher than
4.5.1 when available. Greenstone (11/29/12) [http://www.greenstone.org/download] Upgrade to version higher than 2.85 when available. All other products: Retrieve an upgrade or a patch from the vendor. See the posting to [http://www.securityfocus.com/archive/1/194464]
Bugtraq for information about specific types of web servers. See references below. If a fix is unavailable, then work around the problem by creating a customized error page. Risk Factor: Medium/ CVSS2 Base Score: 4.0
(AV:N/AC:H/Au:N/C:P/I:N/A:
We have a pci compliance report that fails with the below message. OWA is being used from the outside so closing 443 from the outside is not an option. I saw a patch, but that was already included in sp2 (which they have). Anyone have any other suggestions that they've come across for a fix to this. (apart from password protecting logon.aspx---as it would create another level of logging in). Thanks
TCP Port 443 https
Title: web program allows cross-site scripting in query string
(/Remote/logon.aspx) Impact: A malicious web site could cause arbitrary commands to run on a client through a specially crafted link to the vulnerable server. In some cases, this could result in the compromise of the client's cookies, leading to unauthorized access to web applications. Data
Sent: GET /Remote/logon.aspx?ReturnU
lert('SecurityMetrics')</S
Mozilla/4.0 Connection: Keep-alive Data Received: ??<form name="logon"
method="post" action="logon.
aspx?ReturnUrl=%2fRemote%2
Metrics')</SCRIPT>" id="logon" autocomplete="off"> Resolution: Cross-site scripting can be fixed either by creating a customized error page which does not display the URI, or by applying one of the following fixes: ocPortal:
[http://ocportal.com/site/news/view/ocportal- security-update.htm] Download the ocPortal Security Release Patch. HP Network Automation: Apply a patch [http://support.openview.hp.com/selfsolve/patches] Network Automation
09.10.02 to resolve the vulnerabilities for HP Network Automation. You need to do: Upgrade to HP Network Automation v9.10 Apply patch 2 or subsequent
(Title: Network Automation 09.10.02, NA_00015) CA Siteminder:
[http://www.ca.com/us/default.aspx] Upgrade to version R6 SP6 CR7 or R12 SP3 CR8. AtMail Open: Upgrade to a version created after 1 Dec. 2011. ASP Fast Forum:Upgrade to a version created after 1 NOV 2005. PHP-Nuke: (11/13/08) [http://phpnuke.org/modules.php?name=Downloads] Upgrade PHP-Nuke to a version higher than 8.1.
FlatNuke:[http://www.flatnuke.org/index.php?mod=Download] Upgrade to FlatNuke version 2.5.7 RSA Security: Upgrade to RSA Security RSA Authentication Agent to a version higher than 5.3 or RSA Security ACE/Agent for Web to a version higher than 5.1.1 when they become available Lotus
Domino: Upgrade to version 5.0.9 when it becomes available. Microsoft ISA
2000: Refer to
[http://www.microsoft.com/technet/security/bulletin/ms01-045.mspx] Microsoft Security Bulletin 01-045. NetWare Web Search: (04/19/02) Apply NetWare 6 Service Pack 1. ColdFusion MX: (06/25/02) Apply the patch referenced in [http://www.adobe.com/devnet/security/security_zone/mpsb02-03.html]
Macromedia Security Bulletin 02-03. Apache Tomcat: (07/12/02) [http://jakarta.apache.org/] Upgrade to version 4.1.4 or higher, and unmap the "invoker" servlet (mapped to /servlet/), which executes anonymous servlet classes that have not been defined in a web.xml file. The entry for this can be found in the /<tomcat- install-dir>/conf/web.x
DTW_DEFAULT_ERROR_MESSAGE This Web Site is experiencing problems. Check back later. ASP Portal (02/27/04) Upgrade your version. phpBB2 (03/24/04) [http://www.phpbb.com/downloads.php] Upgrade to phpBB 2.0.7 or higher. ZWiki
(12/01/04) [http://zwiki.org/repos/ZWiki/releases/] Upgrade to 0.37 or higher when available or 0.37.0rc1, or apply the fix described [http://zwiki.org/925ZwikiXSSVulnerability] here. ht://Dig (02/14/05) [http://www.htdig.org/where.html] Upgrade to higher than 3.2.0b6, or install a fixed package from your operating system vendor. DotNetNuke (05/26/05) [http://dotnetnuke.com/default.aspx?tabid=125] Upgrade to 3.0.12 or higher.
Apache Struts (12/07/05) [http://struts.apache.org/download.cgi] Upgrade to
1.2.8 or higher. phpMyChat (12/09/05)
[http://www.phpheaven.net/phpmychat:home?id_rubrique=29] Upgrade to higher than version 0.14.5 . Cerberus Helpdesk (01/04/06) [http://www.cerberusweb.com/downloads_helpdesk.php] Upgrade to 2.7.0 or higher. Apache Geronimo (01/27/06) [http://geronimo.apache.org/downloads.html] Upgrade to version 1.0.1 or 1.1 when available. Ashnews (02/10/06) [http://dev.ashwebstudio.com/products.php] Upgrade to a version higher than
0.83 when available. QwikiWiki (02/27/06) [http://sourceforge.net/project/showfiles.php?group_id=80406] Upgrade to a version higher than 1.51 when available. vCard (03/23/06) [http://www.belchiorfoundry.com/vcard/index.php] Upgrade to a version higher than 2.9. Contrexx (03/24/06) [http://www.contrexx.com/?section=news&cmd=details&newsid=54] Patch version 1.0.8 or [http://www.contrexx.com/] upgrade to a version higher than
1.0.8 . phpCOIN (04/05/06)
[http://www.phpcoin.com/coin_addons/dload.php?id=108] upgrade to version
1.2.3 . PHPKIT (04/05/06) [http://phpkit.de/include.php?path=content/ne
ws.php&contentid=280&a
upgrade to 1.6.1 Release 2. phpAdsNew/phpPgAds (04/06/06) upgrade [http://phpadsnew.com/two/index.html] phpAdsNew or [http://www.phppgads.com/one/index.html] phpPgAds to version 2.0.8. Confixx
(04/23/06) [http://www.swsoft.com/de/products/confixx/] Upgrade to a version higher than 3.1.2 when available. phpLDAPadmin (05/01/06) [http://phpldapadmin.sourceforge.net/download.php] Upgrade to version
0.9.8.2 or higher. Boardsolution (05/02/06) [http://www.script- solution.de/] Upgrade to version 1.13 or higher. Pivot (07/24/06) [http://www.pivotlog.net/] Upgrade to version 1.30 Final or higher. XOOPS
(10/14/11) [http://www.xoops.org/modules/core/] Upgrade to 2.5.3. XOOPS packs (11/17/06) Upgrade [http://www.xoops.org/modules/core/visit.php?cid=9&lid=98]
CommunityPack,
[http://www.xoops.org/modules/core/visit.php?cid=9&lid=101]
PersonalPack, and
[http://www.xoops.org/modules/core/visit.php?cid=9&lid=100] IntranetPack to a version higher than 1.0 or fix as [http://worldphantom
.org/foro/index.php?PHPSES
17.new] described. cPanel (01/11/10)
[http://www.cpanel.net/support/downloads/downloads.htm] Upgrade to version
11.25 or higher. OsTicket (01/02/07) [http://www.osticket.com/downloads.php]
Upgrade to 2.0 when available. PHP iCalendar (01/04/07) [http://sourceforge.net/project/showfiles.php?g
roup_id=62270&package_
Upgrade to a version higher than 3.4 when available. Apache Roller
(01/27/09) Apply the fix described in
[https://svn.apache.org/viewvc?view=rev&revision=668737] Revision 668737. MercuryBoard (02/04/10) [http://www.mercuryboard.com/index.php?a=downloads] Upgrade to a version higher than 1.1.5 when available. Cisco Secure Desktop (02/12/10) [http:
//tools.cisco.com/support/
(03/04/10) [http://tools.cisco.com/support/downloads/pub/Redirect
.x?mdfid=268439684] Upgrade to version higher than 5 when available. RSA SecurID (03/04/10) Upgrade to version higher than 6.1 when available.
Juniper IVE (08/16/10) Ensure that the firewall's management interface is disabled on the Internet connected interface, by disabling WeBUI within service options on the Internet connected interface. GuestBook Script
(07/11/12) [http://www.guestbookscripts.com/index.php] Upgrade to a version higher than 1.5 when available. Web@All (07/19/12) [http://webatall.org/] Updates are available. Please see Web@All homepage for more information.
X-Cart (08/01/2012) [http://www.x-cart.com/] Upgrade to version higher than
4.5.1 when available. Greenstone (11/29/12) [http://www.greenstone.org/download] Upgrade to version higher than 2.85 when available. All other products: Retrieve an upgrade or a patch from the vendor. See the posting to [http://www.securityfocus.com/archive/1/194464]
Bugtraq for information about specific types of web servers. See references below. If a fix is unavailable, then work around the problem by creating a customized error page. Risk Factor: Medium/ CVSS2 Base Score: 4.0
(AV:N/AC:H/Au:N/C:P/I:N/A:
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SBS
Small Business Server (SBS) is a line of server operating systems targeted at small businesses by bundling the operating system with a number of other Microsoft products that would normally need to be purchased or licensed separately. The most notable inclusions are Exchange, SQL Server, SharePoint and ISA/TMG (Microsoft's firewall and proxy server).
59K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
