Why would a PCI scan fail because of components that are not even installed?

Posted by Brandon on Server Fault See other posts from Server Fault or by Brandon
Published on 2012-08-28T15:26:44Z Indexed on 2012/08/28 15:40 UTC
Read the original article Hit count: 340

Filed under:
|
|

Recently a PCI scan was run against a web server and the result was a failure. Some of the issues could be fixed, however others simply make no sense to me.

The machine was a clean install, there are only two things running, the .NET 3.5 website and the dotDefender web application firewall.

However there are several errors similar to:

Web server vulnerability Impact: /servlet/SessionServlet: JRun or Netware WebSphere default servlet found. All default code should be removed from servers. Risk Factor: Medium/ CVSS2 Base Score: 6.4 CVE: CVE-2000-0539

I'm not sure what this is, but I can't find anything on the server that looks anything like this.

Web server vulnerability Impact: /some.php?=PHPE9568F35- D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. Risk Factor: Medium/ CVSS2 Base Score: 5.0

PHP is not installed. Trying to add that query string to any page does nothing because the application ignores it. And doing that phpVersion check results in a 404. Similar to this, there are dozens of errors related to JSP and Oracle that are also not installed.

Web server vulnerability Impact: /admin/database/wwForum.mdb: Web Wiz Forums pre 7.5 is vulnerable to Cross-Site Scripting attacks. Default login/pass is Administrator/letmein Risk Factor: Medium/ CVSS2 Base Score: 4.0

There are several errors like this, telling me that Web Wiz Forums, Alan Ward A-Cart 2.0, IlohaMail, etc. are all vulnerable. These are not installed or referenced anywhere I can find.

There are even references to pages that simply don't exist, like OpenAutoClassifieds.

Can anyone point me in the right direction as to why these errors are showing up or where I might look to find these components if they are in fact installed?

Note: This website and server are for a subdomain of the main website. The main website runs on a server that is running Apache/PHP, but I don't have access to that server. The report says the subdomain was the site being scanned, but is it possible for it to have scanned the main site as well?

© Server Fault or respective owner

Related posts about windows-server-2003

Related posts about iis6