[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 29 Nov 2011, Robin Cornelius wrote:
On Tue, Nov 29, 2011 at 3:08 PM, Gordon Henderson <gordon+dcglug@xxxxxxxxxx> wrote:The whole thing is a bit of a headache. A client is using Security Metrics (because they seem to have nobbled the bank to insist that they're "the one" to use), and they failled a site claiming it was running a vulnerable web server that only runs under Windows when it was apache under Linux. It failed on a few dozen other issues that it had previously passed on - all false positives claiming it was running various applications which it patently wasn't. Security Metrics just didn't seem to care.You can trigger false positives like this is you have any kind of rule that redirects some /loadofnonsense.html or any other unknown page back to / or /index.html (or any valid page) instead of 404 as a load of compliance scanners test for specific files to be served via the webserver and if they get any non 404 response they assume it has that software installed and fail you
Well that's handy to know... I know that in this case my client fixed whatever the issue was, but it did cause some headaches - and this is a site that's been passing for some time previously (they check once a quarter) without any change to the site... Cheers, Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq