My small business
server 2003 R2 with latest patches has been failing the Security Metrics PCI
scan since December. The cause listed for the failure is:
Description: web program allows cross-site scripting in query string (/Remote/logon.aspx)
Vulnerability Details:
Service: https Sent: GET /Remote/logon.aspx? ><SCRIPT>alert('SAINT'
;)</SCRIPT> HTTP/1.0 Host: myhost.org User-Agent: Mozilla/4.0 Connection:
Keep-alive Received: ??<form name="logon" method="pos t"
action="logon.aspx?><SCRIPT>alert('S AINT' )</SCRIPT>"
id="logon" autocomplete="off">
There are lots of suggestions that seem to relate to products that are not installed and one that
suggests creating a custom error page that does not display the URI.
How does one resolve this when the WEB site is the default supplied with SBS 2003?
Thanks in advance