Hello,
I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The Red Hat Security Response Team has rated this issue as having moderate security impact and bug as wontfix.
Explanation: The vulnerability affects non default configuration of Apache HTTP web server, i.e cases, when access to Apache::Status and Apache2::Status resources is explicitly allowed via <Location /perl-status> httpd.conf configuration directive. Its occurrence can be prevented by using the default configuration for the Apache HTTP web server (not exporting /perl-status).
I haven't used <Location /perl-status> but Trustwave still finds me vulnerable.
Evidence: Request: GET /perl- status/APR::SockAddr::port/"><script>alert('xss')</script> HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.mydomain.com Content-Type: text/html Content-Length: 0 Response: HTTP/1.1 404 Not Found Date: Mon, 07 Aug 2015 11:10:21 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- check=0 Pragma: no-cache Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Body: contains '"><script>alert('xss')</script>'
How can I get around this?