Author Topic: False positive ?- wrong O/S and IIS version  (Read 1038 times)

Offline GraemeW

  • Newbie
  • *
  • Posts: 2
False positive ?- wrong O/S and IIS version
« on: December 01, 2015, 06:45:23 AM »
Hi. I signed up for the trial PCI scan and got flagged with the following high level vulnerability

Microsoft ASP.NET MS-DOS Device Name DoS 80 / tcp / www
CVE-2007-2897

However when I started Googling it appears that this is only relevant if you are running IIS6 on Windows 2003.
Our website runs on Win 2012 and IIS8

I’ve had a trial scan from another company  that hasn’t flagged this up

It’s possible the internet posts and other company are wrong though. Has anyone else come across this?

thanks

Offline RossPH

  • Newbie
  • *
  • Posts: 24
Re: False positive ?- wrong O/S and IIS version
« Reply #1 on: December 03, 2015, 01:12:09 PM »
CVE-2007-2897 only applies to IIS 6.0,  so it would be a false positive if your running IIS 8.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek