Recently a PCI scan was run against a web server and the result was a failure. Some of the issues could be fixed, however others simply make no sense to me.
The machine was a clean install, there are only two things running, the .NET 3.5 website and the dotDefender web application firewall.
However there are several errors similar to:
Web server vulnerability Impact: /servlet/SessionServlet: JRun or
Netware WebSphere default servlet found. All default code should be
removed from servers. Risk Factor: Medium/ CVSS2 Base Score:
6.4 CVE: CVE-2000-0539
I'm not sure what this is, but I can't find anything on the server that looks anything like this.
Web server vulnerability Impact: /some.php?=PHPE9568F35-
D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive
information via certain HTTP requests that contain specific QUERY
strings. Risk Factor: Medium/ CVSS2 Base Score: 5.0
PHP is not installed. Trying to add that query string to any page does nothing because the application ignores it. And doing that phpVersion check results in a 404. Similar to this, there are dozens of errors related to JSP and Oracle that are also not installed.
Web server vulnerability Impact: /admin/database/wwForum.mdb: Web Wiz
Forums pre 7.5 is vulnerable to Cross-Site Scripting attacks. Default
login/pass is Administrator/letmein Risk Factor: Medium/ CVSS2 Base
Score: 4.0
There are several errors like this, telling me that Web Wiz Forums, Alan Ward A-Cart 2.0, IlohaMail, etc. are all vulnerable. These are not installed or referenced anywhere I can find.
There are even references to pages that simply don't exist, like OpenAutoClassifieds.
Can anyone point me in the right direction as to why these errors are showing up or where I might look to find these components if they are in fact installed?
Note: This website and server are for a subdomain of the main website. The main website runs on a server that is running Apache/PHP, but I don't have access to that server. The report says the subdomain was the site being scanned, but is it possible for it to have scanned the main site as well?