Results 1 to 7 of 7

Thread: nCircle Vulnerability Scan (PCI Compliance)

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    nCircle Vulnerability Scan (PCI Compliance)

    Hey all (and maybe HTRegz in particular, as he works for nCircle),

    I'm trying to accomplish PCI DDS compliance, and I just did an nCircle vulnerability scan for PCI compliance (through http://www.ncircle.com/index.php?s=p...pci-compliance ). Our server didn't pass, but the results aren't as bad as I was expecting, although I'm a little confused by what they're telling me.

    Here are the two items that caused the server to fail the compliance test:

    Microsoft IIS Frontpage Extensions Path Disclosure Information Vulnerability
    nCircle ID: 1705 Port: 80 CVSS Score: 5.0 Not Compliant
    Description
    An issue has been reported that a number of configuration files (.cnf) in Microsoft IIS could be used to disclose sensitive
    system information to remote users if directory permissions are misconfigured. Allegedly, submitting a request for one of
    the vulnerable files by way of '/_vti_pvt/', will cause the host to reveal system path information. The reported problematic
    configuration files are 'access.cnf', 'botinfs.cnf', 'bots.cnf' and 'linkinfo.cnf'. Reportedly, a request similar to the following
    will exploit this issue: GET /_vti_pvt/file.cnf Successful exploitation of this issue could lead to the disclosure of sensitive
    path information, which may assist in further attacks against the host.
    Solution
    Read and write access should not be permitted to the "_vti_pvt" directory and all files contained within the "_vti_pvt"
    directory. The access permissions can be found in the Internet Information Server management application. MITIGATION
    Do not accept communications from unknown or untrusted hosts.
    Advisories
    CVE: CVE-2002-1717, BugTraq: 4078, CVSS Base Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N), CVSS Base Score: 5.0,
    nCircle CVSS Temporal Vector: (E:H/RL:W/RC:C), nCircle CVSS Temporal Score: 4.8
    I don't have the directories nor the files mentioned in the advisory...


    WebDAV HTTP method 'PROPFIND' enabled
    nCircle ID: 5060 Port: 80 CVSS Score: 5.0 Not Compliant
    Description
    PROPFIND is an HTTP method available to Microsoft's Internet Information Server (IIS) version 5.0. PROPFIND is part of
    WebDAV (Distributed Authoring and Versioning) extensions to RFC 2518. PROPFIND is used to retrieve properties for a
    resource identified by the request Uniform Resource Identifier (URI). Although the availability of PROPFIND is not a
    vulnerability, it is possible for an attacker to gather information about web resources by using the PROPFIND command. In
    a high security environment, it may be advisable to disable PROPFIND.
    Solution
    Disable the WebDAV extensions. Information on how to disable the WebDAV extensions is available at from Microsoft at
    http://support.microsoft.com/default...b;en-us;241520.
    Advisories
    nCircle CVSS Base Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N), nCircle CVSS Base Score: 5.0, nCircle CVSS Temporal
    Vector: (E:H/RL:W/RC:C), nCircle CVSS Temporal Score: 4.8
    The article linked to (at http://support.microsoft.com/kb/241520 , not at the link in the nCircle advisory) states that "Because WebDAV is an extension to the HTTP protocol, the concept of disabling WebDAV verbs is like disabling native HTTP verbs such as GET, POST, and so forth. This article describes the process to use to disable WebDAV for those extreme cases in which a Web administrator does not want any WevDAV functionality at all." (my emphasis). That doesn't sound like something I'd want to do... Any advise on how to pass this part of the compliance test?

    Thanks!

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Neg,

    Check out the PM I Sent.

    Tyler.

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Much appreciated! Sent you an email

  4. #4
    Junior Member
    Join Date
    Mar 2009
    Posts
    2
    I have the same problem with nCircle finding /_vti_pvt/ when it doens't exist - what is the solution? Thanks

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Quote Originally Posted by willgatz View Post
    I have the same problem with nCircle finding /_vti_pvt/ when it doens't exist - what is the solution? Thanks
    Have you contacted nCircle Technical Support? You can also email me ( tyler [at] ncircle [dot] com ) and I can make sure your issue gets to the right people.

  6. #6
    Junior Member
    Join Date
    Mar 2009
    Posts
    2

    Found something - thanks though

    Tyler,

    Thanks - upon digging further and not actually searching for the file listed in the report, only the dir, I found an old _vti_pvt folder that was empty. So I will delete that and hopefully the next cCircle scan won't find this again! I really appreciate your getting back to me so promptly.

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Quote Originally Posted by willgatz View Post
    Tyler,

    Thanks - upon digging further and not actually searching for the file listed in the report, only the dir, I found an old _vti_pvt folder that was empty. So I will delete that and hopefully the next cCircle scan won't find this again! I really appreciate your getting back to me so promptly.
    I'm glad you managed to track down the problem... if you have any problems going forward, please let me know.

Similar Threads

  1. NMAP Scanning and PortSentry Evasion
    By Striek in forum The Security Tutorials Forum
    Replies: 10
    Last Post: January 17th, 2006, 04:07 AM
  2. Browser Security Test
    By therenegade in forum Web Security
    Replies: 13
    Last Post: April 1st, 2005, 09:03 AM
  3. Securing Windows 2000 and IIS
    By spools.exe in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 15th, 2003, 09:47 PM
  4. NEWS: SANS Critical Vulnerability Report
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: January 28th, 2003, 09:12 PM
  5. IIS Patch announcement
    By souleman in forum Microsoft Security Discussions
    Replies: 5
    Last Post: April 11th, 2002, 11:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •