PCI compliance scan error messages

General ShopSite user discussion

PCI compliance scan error messages

Postby lhennings » Fri Oct 20, 2017 4:53 am

We are in the process of having our website scanned by control scan to be PCI compliant for credit cards and I am trying to get documentation for error messages. Our site was scanned an it comes back with the error message:
Vulnerabilities:
Reload Threats Grid Below

Port
Threat Name
Risk Level
Dispute Status
Actions
443/tcp
Web error message information leakage: /cgi-bin/sb2/image.cgi
High (3)

443/tcp
Web error message information leakage: /cgi-bin/sb2/newsletter.cgi
High (3)

443/tcp
Web error message information leakage: /cgi-bin/sb2/order.cgi
High (3)

161/udp
SNMP is enabled and may be vulnerable
High (3)

443/tcp
Web error message information leakage: /cgi-bin/sb2/productsearch.cgi
High (3)


Vulnerability Details - Web error message information leakage: /cgi-bin/sb2/productsearch.cgi
IP Address: 66.39.112.30
Host: www.fasttrackproducts.com
Path: /productsearch.cgi

THREAT REFERENCE

Summary:
Web error message information leakage: /cgi-bin/sb2/productsearch.cgi

Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_security_errorinfo

Details: The web server produced an error message containing detailed information about an error in the application or back-end database. This message may disclose information about the internal workings of the application, which may be useful to developers, but also to potential attackers.

Information From Target:
Service: 443:TCP
Sent:
GET /cgi-bin/sb2/productsearch.cgi?storeid=/etc/ HTTP/1.0
Host: www.fasttrackproducts.com
User-Agent: Mozilla/5.0
Connection: Keep-Alive
Cookie: sbid=SSMSB1423802249945222844.88443; sbid1=SSMSB1423802249945222844.88443; ss_cart_0001087530=""


Received:
Invalid Storeid /etc/

Control Scan told me they want to see a 404 error code instead of the pages listed. Our web designer has contacted Shopsite and they said it is no big deal. My problem is we cannot pass our compliance scan without documentation from Shopsite that this cannot be changed. I need to know how to get that information?
Liz Hennings
Fast Track Products
763-493-5740
lhennings
 
Posts: 3
Joined: Fri Mar 13, 2015 9:14 am

Re: PCI compliance scan error messages

Postby ShopSite David » Tue Oct 24, 2017 12:28 pm

Perhaps this can serve as documentation for them?

In the current ShopSite product that error message cannot be changed. The scanner gives this request:
GET /cgi-bin/sb2/productsearch.cgi?storeid=/etc/ HTTP/1.0
ShopSite returns:
Invalid Storeid /etc/

A couple of things to note:
* one parameter (storeid) is being passed/changed so when it works it is clear that it was good and when it fails (no matter what the message) it would be clear that the storeid is bad.

* they want us to produce a 404 (page not found error) I don't believe we can do this programmatically since the cgi (productsearch.cgi) is found and it would be a misleading error.

* StoreID is not the same as a login name or password. The StoreID is used by ShopSite to read a config file that is not accessible from the web (the file resides in the CGI directory.)
-David H.
ShopSite, Inc.
http://www.shopsite.com
ShopSite David
Site Admin
 
Posts: 316
Joined: Fri Aug 04, 2006 1:30 pm
Location: Utah

Re: PCI compliance scan error messages

Postby ultra1bob » Tue Oct 24, 2017 1:45 pm

We have been thru several compliance scans. My web host Lexiconn handled all the problems that came up. Also noted were a number of false positives.
I don't know if this applies to you, but since we use the same ShopSite (ours is the latest version), it seems to me your host should handle the error flags.
That is, we didn't have ShopSite problems for compliance, they were hosting problems.
ultra1bob
 
Posts: 35
Joined: Tue Oct 09, 2007 2:13 pm
Location: Hollywood CA

Re: PCI compliance scan error messages

Postby lhennings » Thu Oct 26, 2017 8:17 am

We have had numerous issues from false errors to the shopsite errors. We had our entire website redone since we started this process and had every page upgraded so it is all https. Our hosting company has taken care of most of our issues and yes they should be handling all of this but I need it done so that is where I am at. Hopefully with the answers from this forum I can get this resolved. We have been working on this since June!
lhennings
 
Posts: 3
Joined: Fri Mar 13, 2015 9:14 am


Return to User Forum

Who is online

Users browsing this forum: No registered users and 101 guests