job*_*ohn 2 security metrics pci-dss pci-compliance
在执行PCI合规性安全指标扫描时,我收到以下错误消息.有谁知道如何解决这个问题?
*Title: vulnerable web program (phpRPC) Impact: A remote attacker could execute arbitrary commands, create or overwrite files, or view files or directories on the web server.
Data Sent: POST /ie/modules/phpRPC/server.php HTTP/1.0
Host: example.com
Content-type: text/xml Content-Length:162 <?xml version="1.0"?> <methodCall> <methodName>test.method</methodName> <params> <param> <value><base64>'));system(id);exit; </param> </params> </methodCall>
Data Received: ????<img height="1" width="1" style="border- style:none;" alt="" src="//googleads.g.doubleclick.net/p agead/viewthroughconversion/997970389/?value=0&label=PlcJCKu92AQ Q1aPv2wM&guid=ON&script=0"/>
Resolution: 03/09/06 CVE 2006-1032 phpRPC is an xmlrpc library that uses database and rpc-protocol abstraction. It is prone to a remote code execution vulnerability because the decode() function within the rpc_decoder.php script fails to adequately sanitize user-supplied input before processing it in an eval() call.
Successful exploitation would result in arbitrary code execution in the context of the application. PHP scripts that implement the phpRPC library, such as RunCMS, are affected by this issue. RunCMS 1.1 through 1.3.a5 are affected, as is phpRPC up to 0.7.
Resolution: phpRPC is not currently being maintained. RunCMS users should upgrade to a version higher than 1.3.a5 which will hopefully include a fix.
Risk Factor: High/ CVSS2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE: CVE-2006-1032 BID: 16833 [Less]*
这是一个相对古老的问题,但我相信这是答案,因为我有完全相同的问题.
安全指标有效地试图调用linux命令id,它将返回这样的东西uid=1000(rob) gid=1000(rob) groups=...
我的理论是Security Metrics正在检查字符串的响应,uid=以查看代码是否已在远程服务器上执行.这将巧合地匹配谷歌的再营销标签.例如.在您的问题中,uid =部分:src="//googleads.g.doubleclick.net/p agead/viewthroughconversion/997970389/?value=0&label=PlcJCKu92AQ Q1aPv2wM&guid=ON&script=0"
我的解决方案是在我们的404页面上完全删除Google Remarketing标记,而不仅仅是用JS或HTML注释来注释它.因为正在返回的页面是404页面,他们发布到(/scripts/modules/phpRPC/server.php)尝试找到漏洞.
我希望这可以帮助您或其他任何遇到此问题的人.
谢谢,
抢