* Home Help Search Login Register  

Welcome, Guest. Please login or register.
Did you miss your activation email?
May 25, 2013, 08:07:49 AM

Login with username, password and session length

664047 Posts
70630 Topics
145258 Members
Latest Member: AmelieKMF

more news...
Search:     Advanced search | Tag Cloud
+  Welcome to the Comodo Forum
|-+  Business / Enterprise Security Products & Services
| |-+  PCI DSS Compliance
| | |-+  I thought it is painless, but not anymore, the scan result is hard to understand		 « previous next »
Pages: [1] Go Down Print
Author Topic: I thought it is painless, but not anymore, the scan result is hard to understand  (Read 136289 times)
wyx2000
Newbie
*
Offline Offline

Posts: 3
« on: February 02, 2011, 12:52:18 PM »
I tried HackGurdian and didn't get any problem on my IP range, so I thought my sites are set right. Later we purchased HackGurdian sevice and tried to do formal scan to pass PCI, but I got a lot of holes.
That is fine,I just need solve them, but the scan result is very hard to understand to let me ping down the problem.
For example, on my web server, I got error like "Webcart misconfiguration http (80/tcp) ", but I am using IIS, there is no such thing as webcart.
Another one is "Weak Supported SSL Ciphers Suites https (443/tcp)",when I create certreq.txt, I used 1024 bit length, but it doesn't work when I disable "RC2 40/128". Any idea how to solve that?  Is the cert bit length related to this?

thanks
Logged
Sal Amander
Comodo Staff
Comodo's Hero
*****
Offline Offline

Posts: 607



WWW
« Reply #1 on: February 02, 2011, 01:48:13 PM »
Quote from: wyx2000 on February 02, 2011, 12:52:18 PM
I tried HackGurdian and didn't get any problem on my IP range, so I thought my sites are set right. Later we purchased HackGurdian sevice and tried to do formal scan to pass PCI, but I got a lot of holes.
That is fine,I just need solve them, but the scan result is very hard to understand to let me ping down the problem.
For example, on my web server, I got error like "Webcart misconfiguration http (80/tcp) ", but I am using IIS, there is no such thing as webcart.

If you're certain that Webcart is not being used then please report it as a false positive via the hyperlink below the vulnerability in the 'Vulnerability Report'

Quote
Another one is "Weak Supported SSL Ciphers Suites https (443/tcp)",when I create certreq.txt, I used 1024 bit length, but it doesn't work when I disable "RC2 40/128". Any idea how to solve that?  Is the cert bit length related to this?

You need to ensure you're disabling all SSLv2 ciphers. There will be a list of weak ciphers that your server supports in the Vulnerability Report.

If you click on 'Reports' in the scanning interface and then the '+' to the left of 'All Addresses' you will be able to see the Vulnerability Report button.
Logged
wyx2000
Newbie
*
Offline Offline

Posts: 3
« Reply #2 on: February 03, 2011, 12:37:01 PM »
"At least one of these file or directories is world readable :
  /webcart/orders/   /webcart/orders/import.txt   /webcart/carts/   /webcart/config/   /webcart/config/clients.txt   /webcart-lite/orders/import.txt   /webcart-lite/config/clients.txt
This misconfiguration may allow an attacker to gather the credit card numbers of your clients."

It is very easy to tell if there is a "webacart" folder, I don;t have. I createdd the CMS on asp.net, I don't use any free cart plugin. So not sure what to check now.
Logged
Tags:
Pages: [1] Go Up Print 
« previous next »
Jump to:  

SSL Certificate Free Virus Removal Firewall
Page created in 0.037 seconds with 20 queries.
Powered by SMF 1.1.18 | SMF © 2006, Simple Machines Design by 7dana.com