Where can I get more report on a specific QID in the QualysGuard PCI website besdies what they provide in their report?
I found all of these buy going into the QualysGuard environment and searching the Knowledge Base https://qualysguard.qualys.com/fo/tools/kbase.php?
12376 - ASP.NET DEBUG Method Enabled Security IssueSolutionhttp://support.microsoft.com/default.aspx?scid=kb;en-us;815157
86728 - Web Server Uses Plain-Text Form Based AuthenticationSolutionPlease contact the vendor of the hardware/software for a possible fix for the issue. For custom applications, ensure that data sent via HTML login forms is encrypted before being sent from the client to the host.
12034 - Microsoft ASP.NET Custom Errors Found Turned OffSolutionUse either the "On" or "RemoteOnly" configuration options for the "customErrors" attributes in the global machine.config or the installation-specific web.config file. Read this guidelines document on Microsoft MSDN for information on securing Web services in general.
Note that, we have found that ASP.NET 1.0 does not implement the customErrors modes properly, and even with a mode set to 'On' or 'RemoteOnly', the system may still generate exception messages from remoting requests. If the Results section below only shows the ".soap" remoting test, and not the ".asmx" web service test, then this is indeed the case. If possible, please upgrade to ASP.NET 1.1 framework. Else, if remoting is not being used, please disable the ".soap" handler using the IIS Configuration or the following configuration in the machine.config file:
<httpHandlers> <add verb="*" path="*.rem" type="System.Web.HttpForbiddenHandler"/> <add verb="*" path="*.soap" type="System.Web.HttpForbiddenHandler"/> </httpHandlers>
If remoting is required, then ASP.NET version 1.1 provides a customErrors configuration for remoting specifically:
<configuration> <system.runtime.remoting> <customerrors mode="off"></customerrors> </system.runtime.remoting> </configuration>
86855 - Apache mod_proxy_ftp FTP Command Injection VulnerabilitySolutionWorkaround:Restrict network access to the proxy server to trusted users only.
Patch:This issue has been resolved in Apache 2.2.14, which is available for download from the Apache HTTP Server Download Page.
Refer to Apache Changes 2.2.14 to obtain details on vulnerabilities fixed in Apache 2.2.14.
86623 - Apache mod_php Module File Descriptor Leakage VulnerabilitySolutionUpgrade to the latest version of Apache Web server, which is available for download from Apache's Web site.
86629 - Apache mod_perl Module File Descriptor Leakage VulnerabilitySolutionWe are not currently aware of any vendor-supplied patches for this issue. Mod_perl and Apache 2.0 should not be used in environments where users cannot be trusted to provide safe content.
Which QID are you interested in?
Here they are:
Hi Jason! Could you please tell me how to fix QID 150022 Syntax Error Occurred raised over a dropdown & listboxes in asp.net?
Retrieving data ...