-
September 26th, 2008, 04:34 PM
#1
nCircle Vulnerability Scan (PCI Compliance)
Hey all (and maybe HTRegz in particular, as he works for nCircle),
I'm trying to accomplish PCI DDS compliance, and I just did an nCircle vulnerability scan for PCI compliance (through http://www.ncircle.com/index.php?s=p...pci-compliance ). Our server didn't pass, but the results aren't as bad as I was expecting, although I'm a little confused by what they're telling me.
Here are the two items that caused the server to fail the compliance test:
Microsoft IIS Frontpage Extensions Path Disclosure Information Vulnerability
nCircle ID: 1705 Port: 80 CVSS Score: 5.0 Not Compliant
Description
An issue has been reported that a number of configuration files (.cnf) in Microsoft IIS could be used to disclose sensitive
system information to remote users if directory permissions are misconfigured. Allegedly, submitting a request for one of
the vulnerable files by way of '/_vti_pvt/', will cause the host to reveal system path information. The reported problematic
configuration files are 'access.cnf', 'botinfs.cnf', 'bots.cnf' and 'linkinfo.cnf'. Reportedly, a request similar to the following
will exploit this issue: GET /_vti_pvt/file.cnf Successful exploitation of this issue could lead to the disclosure of sensitive
path information, which may assist in further attacks against the host.
Solution
Read and write access should not be permitted to the "_vti_pvt" directory and all files contained within the "_vti_pvt"
directory. The access permissions can be found in the Internet Information Server management application. MITIGATION
Do not accept communications from unknown or untrusted hosts.
Advisories
CVE: CVE-2002-1717, BugTraq: 4078, CVSS Base Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N), CVSS Base Score: 5.0,
nCircle CVSS Temporal Vector: (E:H/RL:W/RC:C), nCircle CVSS Temporal Score: 4.8
I don't have the directories nor the files mentioned in the advisory...
WebDAV HTTP method 'PROPFIND' enabled
nCircle ID: 5060 Port: 80 CVSS Score: 5.0 Not Compliant
Description
PROPFIND is an HTTP method available to Microsoft's Internet Information Server (IIS) version 5.0. PROPFIND is part of
WebDAV (Distributed Authoring and Versioning) extensions to RFC 2518. PROPFIND is used to retrieve properties for a
resource identified by the request Uniform Resource Identifier (URI). Although the availability of PROPFIND is not a
vulnerability, it is possible for an attacker to gather information about web resources by using the PROPFIND command. In
a high security environment, it may be advisable to disable PROPFIND.
Solution
Disable the WebDAV extensions. Information on how to disable the WebDAV extensions is available at from Microsoft at
http://support.microsoft.com/default...b;en-us;241520.
Advisories
nCircle CVSS Base Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N), nCircle CVSS Base Score: 5.0, nCircle CVSS Temporal
Vector: (E:H/RL:W/RC:C), nCircle CVSS Temporal Score: 4.8
The article linked to (at http://support.microsoft.com/kb/241520 , not at the link in the nCircle advisory) states that "Because WebDAV is an extension to the HTTP protocol, the concept of disabling WebDAV verbs is like disabling native HTTP verbs such as GET, POST, and so forth. This article describes the process to use to disable WebDAV for those extreme cases in which a Web administrator does not want any WevDAV functionality at all." (my emphasis). That doesn't sound like something I'd want to do... Any advise on how to pass this part of the compliance test?
Thanks!
-
September 26th, 2008, 09:34 PM
#2
Neg,
Check out the PM I Sent.
Tyler.
-
September 27th, 2008, 12:09 AM
#3
Much appreciated! Sent you an email
-
March 10th, 2009, 03:58 PM
#4
Junior Member
I have the same problem with nCircle finding /_vti_pvt/ when it doens't exist - what is the solution? Thanks
-
March 10th, 2009, 04:55 PM
#5
Originally Posted by willgatz
I have the same problem with nCircle finding /_vti_pvt/ when it doens't exist - what is the solution? Thanks
Have you contacted nCircle Technical Support? You can also email me ( tyler [at] ncircle [dot] com ) and I can make sure your issue gets to the right people.
-
March 10th, 2009, 06:24 PM
#6
Junior Member
Found something - thanks though
Tyler,
Thanks - upon digging further and not actually searching for the file listed in the report, only the dir, I found an old _vti_pvt folder that was empty. So I will delete that and hopefully the next cCircle scan won't find this again! I really appreciate your getting back to me so promptly.
-
March 11th, 2009, 08:38 AM
#7
Originally Posted by willgatz
Tyler,
Thanks - upon digging further and not actually searching for the file listed in the report, only the dir, I found an old _vti_pvt folder that was empty. So I will delete that and hopefully the next cCircle scan won't find this again! I really appreciate your getting back to me so promptly.
I'm glad you managed to track down the problem... if you have any problems going forward, please let me know.
Similar Threads
-
By Striek in forum The Security Tutorials Forum
Replies: 10
Last Post: January 17th, 2006, 04:07 AM
-
By therenegade in forum Web Security
Replies: 13
Last Post: April 1st, 2005, 09:03 AM
-
By spools.exe in forum Microsoft Security Discussions
Replies: 0
Last Post: September 15th, 2003, 09:47 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: January 28th, 2003, 09:12 PM
-
By souleman in forum Microsoft Security Discussions
Replies: 5
Last Post: April 11th, 2002, 11:39 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|