PCI Compliance on Windows Web Server 2008 R2

Question

Sorry is this is not the correct forum to post this, but I'm running out of ideas here. We have recently purchased a new dedicated server (running Windows Web Server 2008 R2). One of our customers to trying to obtain PCI Compliance. The server is up to date and we have closed all unneeded ports and loophole. But the site keep failing one of there tests. I'll paste the failure message:

---

Title: vulnerable web program (Singapore) Impact: A remote attacker could execute arbitrary commands, create or overwrite files, or view files or directories on the web server.

Data Sent:

GET /thumb.php?image=../data/users.csv.php%00.jpg
HTTP/1.0 Host: www.monorep.co.uk
User-Agent: Mozilla/4.0
Connection: Keep-alive

Data Received:

And: <html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/standard page - group.dwt.aspx" codeOutsideHTMLIsLocked="false" -->
And: <a class="addthis_button_email"></a> Resolution: 12/23/04 CVE 2004-1407 CVE 2004-1408 CVE 2004-1409 CVE 2006-3194 CVE 2006-3195 CVE 2006-3196

The Singapore image gallery application is affected by multiple vulnerabilities. Singapore 0.10 and earlier are affected by these vulnerabilities: Directory traversal in index.php allowing unauthorized read access to sensitive files in the application's directory, such as the users.csv.php file which contains encrypted passwords Cross-site scripting in index.php Ability to obtain installation path Singapore 0.9.10 and earlier are affected by these vulnerabilities. Directory traversal in thumb.php allowing unauthorized read access to sensitive files in the application's directory, such as the users.csv.php file which contains encrypted passwords File upload vulnerability in addImage function allowing logged-on users to upload and execute PHP scripts Directory traversal allowing deletion of arbitrary directories on Windows platforms if the web server has write access to the directory Cross-site scripting Resolution: Upgrade to Singapore 0.10.1 or higher when available.

Risk Factor: High/ CVSS2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE: CVE-2004-1408 BID: 11990 18518 Additional CVEs: CVE-2006-3194 CVE-2006-3196 CVE-2004-1409 CVE-2004-1407 CVE-2006-3195

---

I've got no idea what this is on about. We don't use this "Singapore" application and we do not run php at all on the server.

Could anybody offer any suggestions on this one please. I would be monster grateful for any advice offers.

Thanks.

Answer 1

PCI security scanners are simple software with large databases. They are intended to provide inspiration for securing a system, but it is up to humans to follow up on any items found. Discuss anything that you cannot resolve with the assessor and evaluate whether the scan results could represent genuine security risks in your environment.

That said, the least effort way through the assessment procedure tends to be based on a minimal surface area and clean security scans, of course.

To be useful also with software that was never seen before, the scanners check for suspect behavior rather than for known bad software versions. On the other hand, to give you practical guidance, they attempt to point to a component that the suspect behavior could be associated with, to encourage full available security patching (removal, upgrade) rather than dealing with the detected faulty behaviors one by one.

Of course you were never running Singapore whatever that was. The problem here is that your configuration of IIS seems to allow two problematic things:

• Allow .. in HTTP requests to access files outside of configured folders
• Serve paths that look like images (.jpg) to the web server, but are eventually referencing something much more sensitive because of a C++-style string terminator (MIME encoded as %00) inserted in the path.

Read more about the former issue here. Read here how to turn parent paths on and off. (Parent paths are off by default in IIS 7 and if you did not change that, this Singapore item is a completely bogus alarm.)