Transcription
Report Date: 2012-12-18Vulnerability Scan Report: Attestation of ComplianceScan Customer InformationApproved Scanning Vendor InformationCompany Name:LAW SCHOOL TOOLBOXContact:Alison MonahanTitle:Telephone:4156585105E-mail:Business Address:89 RAMONA AVENUECity:SAN FRANCISCOState/Province:ZIP/Postal Code:94103Country:Company Name:TrustwaveContact:Trustwave 21E-mail:support@trustwave.comBusiness Address:70 West Madison St., Ste ostal n StatusFail11202012-12-18N/AScan Compliance StatusNumber of unique components scanned that are in scopeNumber of identified failing vulnerabilitiesNumber of components scanned by TrustKeeper but confirmed by the customer not to be in scopeDate Scan CompletedScan Expiration Date (3 months from Date Scan Completed)Scan Customer AttestationApproved Scanning Vendor AttestationLAW SCHOOL TOOLBOX attests that: This scan includes all components which should be in scope for PCIDSS, any component considered out-of-scope for this scan is properly segmented from my cardholder dataenvironment, and any evidence submitted to the ASV to resolve scan exceptions is accurate and complete.LAW SCHOOL TOOLBOX also acknowledges the following: 1) proper scoping of this external scan is myresponsibility, and 2) this scan result only indicates whether or not my scanned systems are compliant withthe external vulnerability scan requirement of the PCI DSS; This scan does not represent LAW SCHOOLTOOLBOXs overall compliance status with PCI DSS or provide any indication of compliance with other PCIDSS requirements.SignaturePrinted NameTitleDateThis scan and report were prepared and conducted by Trustwave under certificate number 3702-01-07 (2012),3702-01-06 (2011), 3702-01-05 (2010), according to internal processes that meet PCI DSS requirement 11.2and the PCI DSS ASV Program Guide.Trustwave attests that the PCI DSS scan process was followed, including a manual or automated QualityAssurance process with customer boarding and scoping practices, review of results for anomalies, and reviewand correction of 1) disputed or incomplete results, 2) false positives, and 3) active interference. This reportand any exceptions were reviewed by the Trustwave Quality Assurance Process.Confidential Information: This document may contain information that is privileged, confidential or otherwiseprotected from disclosure. Dissemination, distribution or copying of this document or the information herein isprohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Copyright 2012 Trustwave, All Rights Reserved
Report Date: 2012-12-18Vulnerability Scan Report: Table of ContentsAttestation of ComplianceTable of ContentsExecutive SummaryPart 1. Scan InformationPart 2. Component Compliance SummaryPart 3a. Vulnerabilities Noted for Each IP AddressPart 3b. Special Notes by IP AddressVulnerability DetailsPart 1. Scan InformationPart 2. Scan Inventory (Accessible Systems and Services)Part 3a. Previous Scan Targets (Not Scanned)Part 3b. Discovered Scan Targets (Not Scanned)Part 3c. Load BalancersPart 4. Vulnerabilities & Policy Violations69.5.23.194Part 5a. Web ServersPart 5b. SSL Certificate InformationPart 6. Disputed Vulnerabilities & Policy ViolationsConfidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.12333491111111313141415686971Copyright 2012 Trustwave, All Rights Reserved
Report Date: 2012-12-18Vulnerability Scan Report: Executive SummaryPart 1. Scan InformationScan Customer CompanyLAW SCHOOL TOOLBOXASV CompanyTrustwaveScan Compliance StatusFailDate Scan Completed2012-12-18Scan Expiration DateN/APart 2. Component Compliance Summary#PCI StatusNameTypeIP ox.comWeb Site69.5.23.194Domain Name02Total Findings0Total PCI Vulnerabilities0MediumLowInfo918502918502910* Note: This location did not respond to probes from the TrustKeeper scanners. For physical locations this is good, since the location is protected and hidden from the Internet. Forwebsites, it could mean the web site is not available, or the domain name is misspelled.Confidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Copyright 2012 Trustwave, All Rights ReservedPage 3
Report Date: 2012-12-18Vulnerability Scan Report: Executive SummaryPart 3a. Vulnerabilities Noted for Each IP AddressExploit DetectedHigh (7.0 - 10.0)Medium (4.0 - 6.9)Low (0.0 - 3.9)InformationalVulnerabilities with a PCI Status of FAIL#IP AddressVulnerabilities 4969.5.23.1941069.5.23.194PHP Overflow Vulnerability in phpstream scandir, CVE-2012-2688PHP Overflow Vulnerability in phpstream scandir, CVE-2012-2688Web Application Transmits LoginCredentials Without EncryptionWeb Application Transmits LoginCredentials Without EncryptionApache HTTP Server Long-HeaderCookie Disclosure Vulnerability, CVE2012-0053BEAST (Browser Exploit AgainstSSL/TLS) Vulnerability, CVE-20113389Apache HTTP Server Long-HeaderCookie Disclosure Vulnerability, CVE2012-0053BEAST (Browser Exploit AgainstSSL/TLS) Vulnerability, CVE-20113389BEAST (Browser Exploit AgainstSSL/TLS) Vulnerability, CVE-20113389BEAST (Browser Exploit AgainstSSL/TLS) Vulnerability, CVE-2011-SeverityCVSS ScorePCI 30Fail4.30Fail4.30Fail4.30Fail4.30FailConfidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Repealed Vulnerabilities (Exceptions,False Positives, or Compensating ControlsNoted by the ASV for this Vulnerability)Copyright 2012 Trustwave, All Rights ReservedPage 4
Report Date: 2012-12-18Vulnerability Scan Report: Executive Summary#IP AddressVulnerabilities NotedSeverityCVSS ScorePCI Status4.30Fail0.00FailRepealed Vulnerabilities (Exceptions,False Positives, or Compensating ControlsNoted by the ASV for this Vulnerability)33891169.5.23.1941269.5.23.194BEAST (Browser Exploit AgainstSSL/TLS) Vulnerability, CVE-20113389DCE Service Ports AccessibilityConsolidated Solution/Correction Plan for the above IP Address:Other Findings#IP AddressVulnerabilities Noted169.5.23.1942SeverityCVSS ScorePCI StatusIndexable Web Directories2.60Pass69.5.23.194Indexable Web Directories2.60Pass369.5.23.194SSL Weak Encryption Algorithms1.80Pass469.5.23.194SSL Weak Encryption Algorithms1.80Pass569.5.23.194SSL Weak Encryption Algorithms1.80Pass669.5.23.194SSL Weak Encryption 1.30Pass969.5.23.194Auto-Completion Enabled forPassword FieldsAuto-Completion Enabled forPassword FieldsPHP expose php Version Disclosure0.00PassConfidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Repealed Vulnerabilities (Exceptions,False Positives, or Compensating ControlsNoted by the ASV for this Vulnerability)Copyright 2012 Trustwave, All Rights ReservedPage 5
Report Date: 2012-12-18Vulnerability Scan Report: Executive Summary#IP AddressVulnerabilities Noted1069.5.23.19411SeverityCVSS ScorePCI StatusPHP expose php Version Disclosure0.00Pass69.5.23.194PHP expose php Version Disclosure0.00Pass1269.5.23.194PHP expose php Version Disclosure0.00Pass1369.5.23.194PHP expose php Version Disclosure0.00Pass1469.5.23.194PHP expose php Version Disclosure0.00Pass1569.5.23.194PHP expose php Version Disclosure0.00Pass1669.5.23.194PHP expose php Version Disclosure0.00Pass1769.5.23.194Remote Access Service Detected0.00Pass1869.5.23.194Enumerated Applications0.00Pass1969.5.23.194Enumerated Applications0.00Pass2069.5.23.194Enumerated Applications0.00Pass2169.5.23.194Enumerated Applications0.00Pass2269.5.23.194Discovered Web 1940.00Pass2569.5.23.1940.00Pass2669.5.23.194HTTP Responses Missing CharacterEncodingHTTP Responses Missing CharacterEncodingHTTP Responses Missing CharacterEncodingWeb Application Potentially SensitiveCGI Parameter Detection0.00PassConfidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Repealed Vulnerabilities (Exceptions,False Positives, or Compensating ControlsNoted by the ASV for this Vulnerability)Copyright 2012 Trustwave, All Rights ReservedPage 6
Report Date: 2012-12-18Vulnerability Scan Report: Executive Summary#IP AddressVulnerabilities Noted2769.5.23.19428SeverityCVSS ScorePCI StatusProtected Web Page0.00Pass69.5.23.194Discovered Web Applications0.00Pass2969.5.23.194OV/DV Certificate SSL Ephemeral Diffie-Hellman CiphersSupportedEnumerated Applications0.00Pass3269.5.23.194Enumerated Applications0.00Pass3369.5.23.194Enumerated Applications0.00Pass3469.5.23.194Discovered Web ass3969.5.23.1940.00Pass4069.5.23.194HTTP Responses Missing CharacterEncodingHTTP Responses Missing CharacterEncodingHTTP Responses Missing CharacterEncodingHTTP Responses Missing CharacterEncodingHTTP Responses Missing CharacterEncodingDiscovered HTTP eb Application Potentially SensitiveCGI Parameter DetectionProtected Web Page0.00Pass4369.5.23.194Discovered Web Applications0.00Pass4469.5.23.194SSL Certificate Common Name0.00PassConfidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Repealed Vulnerabilities (Exceptions,False Positives, or Compensating ControlsNoted by the ASV for this Vulnerability)Copyright 2012 Trustwave, All Rights ReservedPage 7
Report Date: 2012-12-18Vulnerability Scan Report: Executive Summary#IP AddressVulnerabilities NotedSeverityCVSS ScorePCI StatusRepealed Vulnerabilities (Exceptions,False Positives, or Compensating ControlsNoted by the ASV for this Vulnerability)Does Not Validate4569.5.23.194SSL Certificate is Not Trusted0.00Pass4669.5.23.194OV/DV Certificate Detected0.00Pass4769.5.23.194SSL Certificate is 194SSL Certificate Common Name DoesNot ValidateSSL Certificate is Not Trusted0.00Pass5069.5.23.194OV/DV Certificate Detected0.00Pass5169.5.23.194No X-FRAME-OPTIONS Header0.00Pass5269.5.23.194Protected Web Page0.00Pass5369.5.23.1940.00Pass5469.5.23.194SSL Certificate Common Name DoesNot ValidateSSL Certificate is Not Trusted0.00Pass5569.5.23.194OV/DV Certificate SSL Certificate Common Name DoesNot ValidateSSL Certificate is Not Trusted0.00Pass5869.5.23.194OV/DV Certificate Detected0.00Pass5969.5.23.194Unusual SMTP Server Port0.00Pass6069.5.23.194Null Service0.00Pass6169.5.23.194Null Service0.00Pass6269.5.23.194Null Service0.00PassConfidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Copyright 2012 Trustwave, All Rights ReservedPage 8
Report Date: 2012-12-18Vulnerability Scan Report: Executive Summary#IP AddressVulnerabilities NotedSeverityCVSS ScorePCI Status6369.5.23.194Null Service0.00Pass6469.5.23.194Wordpress Plugins DetectedPass6569.5.23.194Wordpress Plugins DetectedPass6669.5.23.194Wordpress Plugins DetectedPass6769.5.23.194Wordpress Plugins DetectedPassRepealed Vulnerabilities (Exceptions,False Positives, or Compensating ControlsNoted by the ASV for this Vulnerability)Consolidated Solution/Correction Plan for the above IP Address:Part 3b. Special Notes by IP Address#IP AddressNote169.5.23.194Remote Access DetectedNote to scan customer: Due to increased risk to thecardholder data environment when remote accesssoftware is present, please 1) justify the business needfor this software to the ASV and 2) confirm it is eitherimplemented securely per Appendix C or disabled/removed. Please consult your ASV if you havequestions about this Special Note.Item Noted(remote accesssoftware, POSsoftware, etc.)Scan customer's declaration thatsoftware is implemented securely(see next column if notimplemented securely)Scan customer's description ofactions taken to either: 1) removethe software or 2) implementsecurity controls to secure thesoftwaretcp/22 ssh(openssh:openssh)Confidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Copyright 2012 Trustwave, All Rights ReservedPage 9
Report Date: 2012-12-18Vulnerability Scan Report: Executive Summary#IP AddressNote269.5.23.194Directory Browsing EnabledNote to scan customer: Browsing of directories on webservers can lead to information disclosure or potentialexploit. Due to increased risk to the cardholder dataenvironment, please 1) justify the business need for thisconfiguration to the ASV, or 2) confirm that it is disabled.Please consult your ASV if you have questions aboutthis Special Note.369.5.23.194Directory Browsing EnabledNote to scan customer: Browsing of directories on webservers can lead to information disclosure or potentialexploit. Due to increased risk to the cardholder dataenvironment, please 1) justify the business need for thisconfiguration to the ASV, or 2) confirm that it is disabled.Please consult your ASV if you have questions aboutthis Special Note.Item Noted(remote accesssoftware, POSsoftware, etc.)Scan customer's declaration thatsoftware is implemented securely(see next column if notimplemented securely)Scan customer's description ofactions taken to either: 1) removethe software or 2) implementsecurity controls to secure thesoftwaretcp/80 http(apache:http server)tcp/443 http(apache:http server)Confidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.Copyright 2012 Trustwave, All Rights ReservedPage 10
Report Date: 2012-12-18Vulnerability Scan Report: Vulnerability DetailsPart 1. Scan InformationScan Customer CompanyLAW SCHOOL TOOLBOXData Scan Completed2012-12-18ASV CompanyTrustwaveScan Expiration DateN/APart 2. Scan Inventory (Accessible Systems and Services)The following systems and network services were detected during this scan. This information is provided for your information. Please refer to "Part 4. Vulnerabilities & PolicyViolations" for all PCI compliance-related issues.Reading Your Scan InventoryThe vulnerability scan reveals Internet-accessible computers and network services available on your network. The following systems (e.g., computers, servers, routers, etc.) andnetwork services (e.g., Web and mail servers) were discovered during the vulnerability scan. As a general rule, all unnecessary network services should be disabled, and allother services should be protected by a firewall or similar device. Only those services which must be available to the public should be visible from the Internet. Names - A system may be known by many names. For example, a server that offers Web and mail services may be known as both www.mycompany.com andmail.mycompany.com. This report includes as many names as could be identified, including public domain names, Windows domain/workgroups, Windows name, and the"real" name assigned in your DNS server. Ping - One technique TrustKeeper uses is to try to "ping" systems in your network. It is generally considered to be good practice to block inbound pings as it can giveattackers information about your network. However, this decision may be affected by network monitoring needs and other considerations. Service Information - A large number of services (e.g., TCP and UDP ports) are probed during the scan. Any that appear to be active on the device are listed in the table.You should review this list to ensure that only those services you intend to offer to the public are accessible. All other internal services should be protected by your firewallor similar box.comOpenWrt WhiteRussian 0.9 (Linux2.4.30)trueService InformationPortProtocoltcp/21ftpConfidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL 0d\x0a220Authenticate first.Copyright 2012 Trustwave, All Rights ReservedPage 11
Report Date: 2012-12-18Vulnerability Scan Report: Vulnerability Details#DeviceNamesOSPingService penssh:opensshOpenSSH p/113generic tcptcp/143imaptcp/209generic tcptcp/443httptcp/465smtp220lawschooltoolbox.com mailfrontESMTPtcp/587smtp220lawschooltoolbox.com mailfrontESMTPtcp/987httpFutureQuestAPId/0.1 Python/2.7.2Confidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of this document or the information herein is prohibited without prior permission of Trustwave and LAW SCHOOL TOOLBOX.220lawschooltoolbox.com mailfrontESMTPapache:http serverApache OK* OK imapfrontready.apache:http serverApacheCopyright 2012 Trustwave, All Rights ReservedPage 12
Report Date: 2012-12-18Vulnerability Scan Report: Vulnerability Details#DeviceNamesOSPingService p* OK imapfrontready.tcp/995pop3 OKtcp/1022auto closetcp/1025smtptcp/11000auto closetcp/11001auto closetcp/11007auto close220lawschooltoolbox.com mailfrontESMTPAll other scanned ports were closed.Part 3a. Previous Scan Targets (Not Scanned)The following locations were removed from your scan setup at your request and have not been included in this scan. You confirmed that these locations or domain namesdo not store, process, or transmit cardholder data and therefore not required to be scanned for PCI DSS compliance.#NameTypeIP AddressDate RemovedNo such scan locations have been removed by this customer.Part 3b. Discovered Scan Targets (Not Scanned)Confidential Information: This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination,distribution or copying of
Dec 17, 2012 · the external vulnerability scan requirement of the PCI DSS; This scan does not represent LAW SCHOOL TOOLBOXs overall compliance status with PCI DSS or provide any indication of compliance with other PCI DSS requirements. Date Scan Customer Attestation Trustwave attests that the PCI DSS scan
