We are in the process of having our website scanned by control scan to be PCI compliant for credit cards and I am trying to get documentation for error messages. Our site was scanned an it comes back with the error message:
Vulnerabilities:
Reload Threats Grid Below
Port
Threat Name
Risk Level
Dispute Status
Actions
443/tcp
Web error message information leakage: /cgi-bin/sb2/image.cgi
High (3)
443/tcp
Web error message information leakage: /cgi-bin/sb2/newsletter.cgi
High (3)
443/tcp
Web error message information leakage: /cgi-bin/sb2/order.cgi
High (3)
161/udp
SNMP is enabled and may be vulnerable
High (3)
443/tcp
Web error message information leakage: /cgi-bin/sb2/productsearch.cgi
High (3)
Vulnerability Details - Web error message information leakage: /cgi-bin/sb2/productsearch.cgi
IP Address: 66.39.112.30
Host: www.fasttrackproducts.com
Path: /productsearch.cgi
THREAT REFERENCE
Summary:
Web error message information leakage: /cgi-bin/sb2/productsearch.cgi
Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_security_errorinfo
Details: The web server produced an error message containing detailed information about an error in the application or back-end database. This message may disclose information about the internal workings of the application, which may be useful to developers, but also to potential attackers.
Information From Target:
Service: 443:TCP
Sent:
GET /cgi-bin/sb2/productsearch.cgi?storeid=/etc/ HTTP/1.0
Host: www.fasttrackproducts.com
User-Agent: Mozilla/5.0
Connection: Keep-Alive
Cookie: sbid=SSMSB1423802249945222844.88443; sbid1=SSMSB1423802249945222844.88443; ss_cart_0001087530=""
Received:
Invalid Storeid /etc/
Control Scan told me they want to see a 404 error code instead of the pages listed. Our web designer has contacted Shopsite and they said it is no big deal. My problem is we cannot pass our compliance scan without documentation from Shopsite that this cannot be changed. I need to know how to get that information?
Liz Hennings
Fast Track Products
763-493-5740