PCI DSS Compliance

One of our Nop sites is suddenly failing PCI DSS compliance. Can anyone help with these issues?

Title: ZixForum database accessible over web (ZixForum.mdb) Impact: Attackers may access (read or destroy) application information, and in worst cases may take administrative control of the application. Data Sent: GET /filenotfound.htm?aspxerrorpath=/cgi-bin/ZixForum.mdb HTTP/1.0 Host: inkredible.co.uk User-Agent: Mozilla/4.0 Connection: Keep-alive Cookie: Nop.customer=214401fe-0a3b-4f5a-a0a2-d584d8487122 Data Received: HTTP/1.1 200 OK Resolution: Download a fix for [http://www.john.mypc.nu/Zix/] ZixForum when one becomes available, or configure the web server to deny access to ZixForum.mdb files. Risk Factor: High/ CVSS2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Title: NewsTraXer database accessible over web (nTrax.mdb) Impact: Attackers may access (read or destroy) application information, and in worst cases may take administrative control of the application. Data Sent: GET /filenotfound.htm?aspxerrorpath=/cgi-bin/Dbase/nTrax.mdb HTTP/1.0 Host: inkredible.co.uk User-Agent: Mozilla/4.0 Connection: Keep-alive Cookie: Nop.customer=214401fe-0a3b-4f5a-a0a2-d584d8487122 Data Received: HTTP/1.1 200 OK Resolution: No vendor solution to the NewsTraXer problem was available at the time of this writing. It would be advisable to configure the web server to password protect the Dbase directory if possible, or to remove the software. Risk Factor: High/ CVSS2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Title: News database accessible over web (news.mdb) Impact: Attackers may access (read or destroy) application information, and in worst cases may take administrative control of the application. Data Sent: GET /filenotfound.htm?aspxerrorpath=/cgi-bin/news.mdb HTTP/1.0 Host: inkredible.co.uk User-Agent: Mozilla/4.0 Connection: Keep-alive Cookie: Nop.customer=214401fe-0a3b-4f5a-a0a2-d584d8487122 Data Received: HTTP/1.1 200 OK Resolution: To secure the Compulsive Media News database, configure the web server to deny access to the news.mdb file. Risk Factor: High/ CVSS2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)

The three items are not being found and since CustomErrors is On (or RemoteOnly), the 404 request is redirected to file filenotfound.htm as defined in Web.config. So it sends an HTTP code 302 for the redirect and a code 200 for filenotfound.htm. Since an HTTP status code 200 is returned for the tested URLs, the testing script flags these vulnerabilities as existing on the server.

You can turn Off CustomErrors or
try the following solution (untested, but should return CustomError page and the 404 status code):
http://blog.stormid.com/2009/08/asp-net-customerrors-and-real-http-status-codes-404s-not-302s/

.

Hello again Darren,

i think that this has nothing to do with NopCommerce, the warning says that the DB files are accessible through the internet, you should probably set up permissions on folders and databases.

My 2 cents, not a sysadmin here.

I love this community! All morning spent scratching my head over 2 issues. 2 posts to Nop forum and minutes later I have 1 solution and 1 issue being looked at by a member.

Thank you guys!