Have a bit of a tickler here, we are getting ready to have a security audit run against our servers, this scan uses a product called Tenable which a sister agency to ours will use to scan our servers. In preparation for this scan I’ve installed and scanned these servers with OpenVAS, which thankfully has identified only a few minor issues with our fully patched SLES11SP3 servers. The biggest issue that is being reported back is the following:
We detected a vulnerable version of the DCShop CGI. This version does not properly protect user and credit card information. It is possible to access files that contain administrative passwords, current and pending transactions and credit card information (along with name, address, etc).
Vulnerability Detection Result
The following files are affected:
DCShop orders file: /?q=user/register/Orders/orders.txt
DCShop orders file: /?q=user/register/orders/orders.txt
DCShop authentication file: /?q=user/register/Auth_data/auth_user_file.txt
DCShop authentication file: /?q=user/register/auth_data/auth_user_file.txt
The problem is… we don’t have DCShop installed. In fact the cgi-bin directory on the server contains exactly three files:
infol2html, info2html.conf and infocat
My google-fu led me to a few (very few) web sites which suggested making massive modifications to the DCShop installation, which cannot be done because again the server doesn’t have this installed. One tip suggested that the ‘everyone’ group had full access to the cgi-bin folder, default permissions on the cgi-bin folder are 755, I’ve changed that to 754 and 750 with zero impact on the above error during OpenVAS scans.
Can anyone shed any light on this for me? I’m pretty sure that reporting to the scanning agency that ‘oh yea that’s a bug in the scan we don’t use DCShop’ is going to result in a big fat fail at this station.
Appreciate the thoughts / suggestions.