Pages: [1]   Go Down

Author Topic: I thought it is painless, but not anymore, the scan result is hard to understand  (Read 146527 times)

Offline wyx2000

  • Newbie
  • *
  • Posts: 3
I thought it is painless, but not anymore, the scan result is hard to understand
« on: February 02, 2011, 12:52:18 PM »
I tried HackGurdian and didn't get any problem on my IP range, so I thought my sites are set right. Later we purchased HackGurdian sevice and tried to do formal scan to pass PCI, but I got a lot of holes.
That is fine,I just need solve them, but the scan result is very hard to understand to let me ping down the problem.
For example, on my web server, I got error like "Webcart misconfiguration http (80/tcp) ", but I am using IIS, there is no such thing as webcart.
Another one is "Weak Supported SSL Ciphers Suites https (443/tcp)",when I create certreq.txt, I used 1024 bit length, but it doesn't work when I disable "RC2 40/128". Any idea how to solve that?  Is the cert bit length related to this?

thanks
Logged

Offline Sal Amander

  • Retired Comodo Staff
  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 737
Re: I thought it is painless, but not anymore, the scan result is hard to understand
« Reply #1 on: February 02, 2011, 01:48:13 PM »
Quote from: wyx2000 on February 02, 2011, 12:52:18 PM
I tried HackGurdian and didn't get any problem on my IP range, so I thought my sites are set right. Later we purchased HackGurdian sevice and tried to do formal scan to pass PCI, but I got a lot of holes.
That is fine,I just need solve them, but the scan result is very hard to understand to let me ping down the problem.
For example, on my web server, I got error like "Webcart misconfiguration http (80/tcp) ", but I am using IIS, there is no such thing as webcart.

If you're certain that Webcart is not being used then please report it as a false positive via the hyperlink below the vulnerability in the 'Vulnerability Report'

Quote
Another one is "Weak Supported SSL Ciphers Suites https (443/tcp)",when I create certreq.txt, I used 1024 bit length, but it doesn't work when I disable "RC2 40/128". Any idea how to solve that?  Is the cert bit length related to this?

You need to ensure you're disabling all SSLv2 ciphers. There will be a list of weak ciphers that your server supports in the Vulnerability Report.

If you click on 'Reports' in the scanning interface and then the '+' to the left of 'All Addresses' you will be able to see the Vulnerability Report button.

Logged

Offline wyx2000

  • Newbie
  • *
  • Posts: 3
Re: I thought it is painless, but not anymore, the scan result is hard to understand
« Reply #2 on: February 03, 2011, 12:37:01 PM »
"At least one of these file or directories is world readable :
  /webcart/orders/   /webcart/orders/import.txt   /webcart/carts/   /webcart/config/   /webcart/config/clients.txt   /webcart-lite/orders/import.txt   /webcart-lite/config/clients.txt
This misconfiguration may allow an attacker to gather the credit card numbers of your clients."

It is very easy to tell if there is a "webacart" folder, I don;t have. I createdd the CMS on asp.net, I don't use any free cart plugin. So not sure what to check now.
Logged
Pages: [1]   Go Up
 

Seo4Smf 2.0 © SmfMod.Com Smf Destek