I tried HackGurdian and didn’t get any problem on my IP range, so I thought my sites are set right. Later we purchased HackGurdian sevice and tried to do formal scan to pass PCI, but I got a lot of holes.
That is fine,I just need solve them, but the scan result is very hard to understand to let me ping down the problem.
For example, on my web server, I got error like "Webcart misconfiguration http (80/tcp) ", but I am using IIS, there is no such thing as webcart.
Another one is “Weak Supported SSL Ciphers Suites https (443/tcp)”,when I create certreq.txt, I used 1024 bit length, but it doesn’t work when I disable “RC2 40/128”. Any idea how to solve that? Is the cert bit length related to this?
If you’re certain that Webcart is not being used then please report it as a false positive via the hyperlink below the vulnerability in the ‘Vulnerability Report’
Another one is "Weak Supported SSL Ciphers Suites https (443/tcp)",when I create certreq.txt, I used 1024 bit length, but it doesn't work when I disable "RC2 40/128". Any idea how to solve that? Is the cert bit length related to this?
You need to ensure you’re disabling all SSLv2 ciphers. There will be a list of weak ciphers that your server supports in the Vulnerability Report.
If you click on ‘Reports’ in the scanning interface and then the ‘+’ to the left of ‘All Addresses’ you will be able to see the Vulnerability Report button.
“At least one of these file or directories is world readable :
/webcart/orders/ /webcart/orders/import.txt /webcart/carts/ /webcart/config/ /webcart/config/clients.txt /webcart-lite/orders/import.txt /webcart-lite/config/clients.txt
This misconfiguration may allow an attacker to gather the credit card numbers of your clients.”
It is very easy to tell if there is a “webacart” folder, I don;t have. I createdd the CMS on asp.net, I don’t use any free cart plugin. So not sure what to check now.