Hi Jamey,
Originally Posted by
jpietrowiak
PCI Error
Synopsis : It is possible to retrieve file backups from the remote web server. Description : By appending various suffixes (ie: .old, .bak, ~, etc...) to the names of various files on the remote host, it seems possible to retrieve their contents, which may result in disclosure of sensitive information. See also :
http://projects.webappsec.org/Predictabl e-Resource-Location Solution: Ensure the files do no contain any sensitive information, such as credentials to connect to a database, and delete or protect those files that should not be accessible.
Another awful false positive by yet another waste of space programmer at a PCI company.
A lot of these companies are money-grabbing timewasters.
Ceon URI Mapping strips any invalid characters from the URI, ignoring these characters and therefore essentially protecting you from any effects of these types of "hacks".
PHP Code:
// Make sure that request URI has no invalid characters in it
$uri_to_match = preg_replace('/[^a-zA-Z0-9_\-\.\/%]/', '', $this->_request_uri);
Using a different, "better" PCI company would obviously be the best option.
If you can't do that then chances are you'll have to add a condition to the rewrite rule or to remove the above line from
includes/classes/class.CeonURIMappingHandler.php
I'll post back here if I come up with any other solution.
All the best..
Conor
ceon
Bookmarks