PCI compliance failing, IIS 6 Problem

f1y

Supreme [H]ardness
Joined
Dec 30, 2005
Messages
8,107
Description: Possible Microsoft IIS ASP Remote Code Execution vulnerability Severity: Potential Problem CVE: CVE-2008-0075 Impact: An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server. Background: Microsoft IIS web servers accept requests for a number of different types of files. The most common methods of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server additional information called headers which are not seen by the user. Information in the header can include browser type, content type, content length, and other information. Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server. IIS supports redirection, which allows a user to specify that requests for a particular URL on the server should be redirected such that the user's browser loads a file from another directory, a network share, or a URL on another web server. Resolution Install the patches referenced in Microsoft Security Bulletins [http://www.microsoft.com/technet/securi ty/bulletin/ms03-018.mspx] 03-018, [http://www.microsoft.com/technet/securi ty/bulletin/ms06-034.mspx] 06-034 (for Windows 2000), [http://www.microsoft.com/technet/securi ty/bulletin/ms08-062.mspx] 08-062, and [http://technet.microsoft.com/en-us/secu rity/bulletin/MS10-065] 10-065. For IIS 5.1, also install the patches referenced in [http://www.microsoft.com/technet/securi ty/bulletin/ms07-041.mspx] 07-041. Note that the patch referenced in [http://www.microsoft.com/technet/securi ty/bulletin/ms02-050.mspx] Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function. IIS 4.0 users should also install the patch referenced in [http://www.microsoft.com/technet/securi ty/bulletin/ms04-021.mspx] Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties. Vulnerability Details: Service: https IIS 6 detected and cannot check for patch (credentials required)
[Hide]


I get the above warning on my PCI compliance, and i'm currently failing.

I've installed listed pacthes that deal with IIS6, and SBS2003. Still no luck. Redirection is off. What gets me is the "Service: https IIS 6 detected and cannot check for patch (credentials required) "

Does PCI need credentials entered in? Why is this still failing, my box is up to date, and has been rebooted.
 
It's only stating that it has discovered you're running IIS6 and can't tell if the required patches have or haven't been required. So it is just a warning, not a failure.

You are going to run into problems (but it is possible) getting a website hosted on SBS to pass automated PCI checks, that server is the jack-of-all-trades and has way too much stuff running. Bare minimum is to have IIS on it's own IP address to make life easier.
 
Back
Top