PCI scan failure

[KeithZ]

I continue to get emails from Security Metrics about PCI compliance. It seems most of this is ok but I am failing in 3 areas. I have no idea how to make the changes they are asking for. Wonder if anyone has had a similar experience. Here are the failing messages:

1. TCP 80 http 10 Description: (guestbook.cgi) is present Severity: Potential Problem CVE: CVE-1999-0237 CVE-2003-1425 CVE-2003-1426 Impact: The web server contains an application which may have a vulnerability. If [More]

2. TCP 80 4 Description: Cross-site scripting vulnerability in lookup_discount_coupon parameter to /index.php?main_page=discount_coupon&amp ;action=lookup Severity: Area of Concern Impact: A malicious web [More]

3. TCP 80 http 4 Description: Apache ETag header discloses inode numbers Severity: Potential Problem CVE: CVE-2003-1418 Impact: A remote attacker could determine inode numbers on the server. Resolution Use the [More]

Thank you!

[DrByte]

In your list, numbers 1 and 3 are something your hosting company's server administrator must resolve. They have nothing to do with Zen Cart.

For number 2, while minor, you could get their scanner to stop complaining about it by upgrading to the latest version of Zen Cart (which is the SMARTEST solution you should choose) which has specifically addressed that issue as follows:

/includes/modules/pages/discount_coupon/header_php.php
at line 18, insert the highlighted line, as shown:

Code:

    $coupon = $db->Execute("select * from " . TABLE_COUPONS . " where  coupon_code = '" . zen_db_input($_POST['lookup_discount_coupon']) . "'  and  coupon_type != 'G'");
    $_POST['lookup_discount_coupon'] = zen_sanitize_string($_POST['lookup_discount_coupon']);
    if ($coupon->RecordCount() < 1) {

[KeithZ]

Thank you for your help. I am now PCI compliant!