jadwyer
Technical User
- Feb 25, 2007
- 1
- 0
- 0
My small business
server 2003 R2 with latest patches has been failing the Security Metrics PCI
scan since December. The cause listed for the failure is:
Port: 443
Description: web program allows cross-site scripting in query string (/Remote/logon.aspx)
Vulnerability Details:
Service: https Sent: GET /Remote/logon.aspx? ><SCRIPT>alert('SAINT'
</SCRIPT> HTTP/1.0 Host: myhost.org User-Agent: Mozilla/4.0 Connection:
Keep-alive Received: ??<form name="logon" method="pos t"
action="logon.aspx?><SCRIPT>alert('S AINT' )</SCRIPT>"
id="logon" autocomplete="off">
There are lots of suggestions that seem to relate to products that are not installed and one that
suggests creating a custom error page that does not display the URI.
How does one resolve this when the WEB site is the default supplied with SBS 2003?
Thanks in advance
server 2003 R2 with latest patches has been failing the Security Metrics PCI
scan since December. The cause listed for the failure is:
Port: 443
Description: web program allows cross-site scripting in query string (/Remote/logon.aspx)
Vulnerability Details:
Service: https Sent: GET /Remote/logon.aspx? ><SCRIPT>alert('SAINT'
</SCRIPT> HTTP/1.0 Host: myhost.org User-Agent: Mozilla/4.0 Connection:Keep-alive Received: ??<form name="logon" method="pos t"
action="logon.aspx?><SCRIPT>alert('S AINT' )</SCRIPT>"
id="logon" autocomplete="off">
There are lots of suggestions that seem to relate to products that are not installed and one that
suggests creating a custom error page that does not display the URI.
How does one resolve this when the WEB site is the default supplied with SBS 2003?
Thanks in advance
