Skip to main content

Path-Based Vulnerability with webmail during PCI scan

Comments

3 comments

  • rbairwell

    You'll need to probably ask your PCI/security team if it is true vulnerability - automated scans can only do "so much".

    However, the message does say that https://example.com/webmail redirects to https://example.com:2096 (as I would expect on a cPanel server) and that the page does return a "200 OK" (again as I would expect). The "vulnerability" listed is that "file, directory, or directory listing was discovered on the Web server" - so when you go to https://example.com:2096/ do you get a directory listing as the report says or do you actually get the Webmail login page (as I would suspect). If the latter, then it's a false positive.

    0
  • nisamudeen97

    Hi,

    Thank you very much for the update.  There is no file / directory listing enabled here.   It shows login page. 

    0
  • cPRex Jurassic Moderator

    I agree that this looks like a false positive from the scanning company.

    1

Please sign in to leave a comment.