PCI Compliance Issue


Active Member
Mar 15, 2004

We've been trying to get a number of servers PCI compliant, and have managed to fix everything except for one error ( it appears twice once on port 443 and once on port 80 ).

I have tried using every version of Apache that EasyApache offers, but always get the same error.

Has anyone else found a fix for this ?

Synopsis : The remote web server is prone to cross-site scripting attacks. Description : The remote host is running a web server that fails to adequately sanitize request strings of malicious Javascript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. Solution: Contact the vendor for a patch or upgrade. Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 BID : 5305, 7344, 7353, 8037, 14473, 17408 Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469


Active Member
Jun 13, 2007
Depending on the pci scanning company you use, many will tell you exactly what page/form they discovered the cross site scripting vulnerability in.


Well-Known Member
May 12, 2007
Does your PCI tester also suggest an Apache upgrade to Apache2, citing 1.3x unstable? (Mine did)

And yet the management company I previously use states Apache2 isn't stable with cpanel just yet (is there any truth to this or just paranoia)?
I'm going to guess it's just paranoia.. as it looks as though cpanel.net is on 2.0.63 ...

Nevertheless, I'm curious as to why my PCI test claims so many holes in 1.3.41 due to mostly OpenSSL and such.