Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SBS 2003 Cross Scripting error on Security Metrics PCI scan

Status
Not open for further replies.

jadwyer

Technical User
Feb 25, 2007
1
My small business
server 2003 R2 with latest patches has been failing the Security Metrics PCI
scan since December. The cause listed for the failure is:

Port: 443

Description: web program allows cross-site scripting in query string (/Remote/logon.aspx)



Vulnerability Details:

Service: https Sent: GET /Remote/logon.aspx? ><SCRIPT>alert('SAINT'
;)</SCRIPT> HTTP/1.0 Host: myhost.org User-Agent: Mozilla/4.0 Connection:
Keep-alive Received: ??<form name="logon" method="pos t"
action="logon.aspx?><SCRIPT>alert('S AINT' )</SCRIPT>"
id="logon" autocomplete="off">

There are lots of suggestions that seem to relate to products that are not installed and one that
suggests creating a custom error page that does not display the URI.

How does one resolve this when the WEB site is the default supplied with SBS 2003?



Thanks in advance
 
Looks like the error is pointing to a security vulnerability with the RWW login page and Mozilla.

Level 1 Support Technician
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top