Mango Blog Forums : Mango Forums : General : Blog fails PCI DSS compliance test, odd finding

Forums home | Profile | Search | Login | RSS

Thread: Blog fails PCI DSS compliance test, odd finding

Created on: 03/19/12 07:07 PM

New topic Reply

Page: 1

Replies: 2

Jaanaka

Joined: 10/15/10
Posts: 28
03/19/12 7:07 PM

Hi all,
I have MangoBlog running on 2 sites that require PCI DSS compliance and both are failing for something odd.

We use TrustKeeper by TrustWave for the PCI DSS scan and this is a *medium* severity and the scan failed.

Backup Files Discovered
It is possible to download at least one file with a .bak, .old, ~, .2, .copy, .tmp, .swp file extension from this server. If backups of source code is available, this can provide valuable information to an attacker wishing to develop a custom attack on your web application.
Service: Microsoft-IIS/7.5
Evidence:
• Virtual Host: xx.xx.xxx.xxx
• File: http://xx.xx.xxx.xxx/blog/archives.cfm/.1
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)

Thoughts on how to get around this behavior?

Link | Top | Bottom

Jaanaka

Joined: 10/15/10
Posts: 28
03/19/12 7:07 PM

There are no files with .1, .2 etc in the whole /blog directory structure.

Link | Top | Bottom

Laura
Wizard

Joined: 01/29/05
Posts: 1523
03/20/12 7:11 PM

That's a bit of a silly test, since it means you just can't have a url that ends with /.1, regardless whether it is a backup file or even a file at all.

Is there any way to give an explanation for the failed item?

The behavior can be changed but it is a little complicated to do without just simply looking for those patterns. The best would be to use URL rewriting and catch those urls before they even get to Mango. It could also be possible to write a plugin, but really the best would be to use URL rewriting.

Link | Top | Bottom

New Post

Please login to post a response.

Replies: 2
Jaanaka Joined: 10/15/10 Posts: 28	03/19/12 7:07 PM Hi all, I have MangoBlog running on 2 sites that require PCI DSS compliance and both are failing for something odd. We use TrustKeeper by TrustWave for the PCI DSS scan and this is a medium severity and the scan failed. Backup Files Discovered It is possible to download at least one file with a .bak, .old, ~, .2, .copy, .tmp, .swp file extension from this server. If backups of source code is available, this can provide valuable information to an attacker wishing to develop a custom attack on your web application. Service: Microsoft-IIS/7.5 Evidence: • Virtual Host: xx.xx.xxx.xxx • File: http://xx.xx.xxx.xxx/blog/archives.cfm/.1 CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00) Thoughts on how to get around this behavior?
	Link \| Top \| Bottom
Jaanaka Joined: 10/15/10 Posts: 28	03/19/12 7:07 PM There are no files with .1, .2 etc in the whole /blog directory structure.
	Link \| Top \| Bottom
Laura Wizard Joined: 01/29/05 Posts: 1523	03/20/12 7:11 PM That's a bit of a silly test, since it means you just can't have a url that ends with /.1, regardless whether it is a backup file or even a file at all. Is there any way to give an explanation for the failed item? The behavior can be changed but it is a little complicated to do without just simply looking for those patterns. The best would be to use URL rewriting and catch those urls before they even get to Mango. It could also be possible to write a plugin, but really the best would be to use URL rewriting.
	Link \| Top \| Bottom