[ic] PCI Compliance and minivend port 7786 issue

Curt Hauge ic_support at mnwebdesign.com
Wed Feb 18 00:49:51 UTC 2009


Hello everyone,

I am trying to bring a server into PCI compliance and I have two issues with
TCP port 7786 minivend.

The test suite at securitymetrics.com reports this:

Synopsis: The remote web server is affected by a directory traversal
vulnerability (TCP port 7786 minivend).

Description: It appears possible to read arbitrary files on the remote host
outside the web server's document directory using a specially-crafted URL.
An unauthenticated attacker may be able to exploit this issue to access
sensitive information to aide in subsequent attacks.

Solution: Contact the vendor for an update, use a different product, or
disable the service altogether.

and this:

Synopsis: The remote web server is prone to cross-site scripting attacks.

Description: The remote host is running a web server that fails to
adequately sanitize request strings of malicious JavaScript. By leveraging
this issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.

Solution: Contact the vendor for a patch or upgrade.



I have this in my 'pretty stock' interchange.cfg:

TcpMap 7786 -

On startup I see this: Interchange server started in UNIX mode(s)

Can I just comment that line out of my config file? Any drawbacks to doing
that?

This is a 5.4.2 tar install on a upgraded 'construct' catalog
Perl 5.8.8
Centos 4.7
Apache 1.3.41

Kevin Walsh said this:
http://www.icdevgroup.org/archive/interchange-users/2002/msg12325.html

[start Kevin]
To get both UNIX and Inet modes, add the following to your
interchange.cfg file:

    Unix_Mode     Yes
    Inet_Mode     Yes

    TcpHost       127.0.0.1
    TcpMap        7786 -

Restart Interchange after modifying your interchange.cfg file.

There's not always a point in running Interchange in both UNIX and Inet
modes.  Pick one or the other, unless you really do need both for some
reason.

[end Kevin]

Maybe I should just comment that out?

Thanks for any input!

Curt




More information about the interchange-users mailing list