SecurityMetrics PCI compliance fail: /password_forgotten.php

[MickeyDora]

I am failing the PCI compliance test from SecurityMetrics and they site this vulnerability:

The remote web server contains a PHP application that is susceptible to an authentication bypass. Description : The version of Zen Cart installed on the remote host is affected by a design error that allows a remote attacker to bypass authentication and gain access to the application's admin section by appending '/password_forgotten.php' to URLs. Successful exploitation of this vulnerability may lead to disclosure of sensitive information such as customer data, SQL injection attacks, or arbitrary code execution.

I have upgraded to 1.3.9h, deleted /docs, /extras, /zc_install, install.txt and renamed my admin folder immediately after installation.

Does this sound like a problem with my host (BlueHost) or something else? Much appreciated.

[DrByte]

Tell them their test is wrong. The mere existence of the password_forgotten.php file does not denote a vulnerability.
That was an old vulnerability for a now-obsolete version.

[Website Rob]

I would agree as well that SecurityMetrics needs to update their testing.

Although it was true in the past, that appending '/password_forgotten.php' to certain URLs was indeed a potential vulnerability, the release of a patch for v1.3.8a and complete removal of that vulnerability within any v1.3.9 version makes it a moot point. Mind you, I still see those kinds of attempts which shows people are still trying it.
Just another reason though, why using the current version -- as the OP already is --- is just a good thing to do.