I've run a third-party PCI scan recently on my website, and my main domain cleared 100%.
The IP address, however, came up with some strange errors. It was claiming we were vulnerable to XSS attacks due to some CGIs that aren't even installed on our cloud server.
The XSS-prone vulnerabilities are as follows:
- AgoraCart (agora.cgi)
- Citrix NFuse Launch Scripts
- DCP-Portal
- Faq-O-Matic (fom.gci)
- FastCGI
- Oracle 9iAS (iSQLplus)
- Pinnacle Showcenter
- PsNews
Other than FastCGI, I hadn't even heard of most of these. I've looked through my server (sub-domains and /user
and /etc
folders as well, just in case), and could not find any indication that any of these were installed. I don't even have *.cgi files on the server.
My server is a cloud server hosted by Rackspace, with a dedicated IP address.
I am wondering the following:
- Can the PCI scanner find files being used by others sharing the cloud server with me (i.e. different IP on same hardware)?
- If yes, what can I do about this? Is it something that would prevent me from passing compliance?
- If not, what are some possible causes for the scanner picking up these files? Am I looking in the wrong places here?
Almost forgot to mention: we've migrated to a new server a few months back. We had Plesk on the old server, but didn't keep it on the new server. I'm bringing it up since those seem like files that might come with Plesk.
Update regarding the scan:
The scan was run over my domain and IP address, and did not require the installation of any files.