Allaire Spectra Admin Utility Accessible on port 443/tcp?

Hi all,

Wondering if anyone can help. I have multiple domains and have run PCI Scans with a trusted vendor for a while now with no issue on our domains. A few days ago on only one of the domains we have, when running a scan, it fails with the error being that the Allaire spectra software is open on the port 443 and proceeds to give me the path that is open.

I do not see anything in Cloudflare’s documentation saying they use that software. It just asks to do the below:

SOLUTION:
Remove the /allaire/spectra/system/admin/ directory from all Spectra servers. This directory is not necessary and was only used in Beta Version
1.0.1.

Our server company says this is a cloudflare issue as we are behind cloudflare.

Any help to plug this up?

Most such tools will give you the detailed HTTP request and response. Can you copy then into this thread?

The only path Cloudflare adds to a site is /cdn-cgi/

You can test this with something like:
curl -svo /dev/null https://example.com/allaire/spectra/system/admin/ --connect-to ::123.123.123.123

But if you want to plug that up, you can use a Firewall Rule:

Damn, yall are fast!

RESULT:
HTTP/1.1 200 OK
Date: Fri, 03 Dec 2021 19:28:13 GMT
Content-Type: text/html
Connection: close
cache-control: no-cache
x-iinfo: 9-186936298-0 0NNN RT(1638559692833 0) q(0 -1 -1 -1) r(0 -1) B12(4,321,0) U18
set-cookie: visid_incap_2529166=rqWxVmwVT26zZsiMU2l/Y8xvqmEAAAAAQUIPAAAAAAAr4DEPUlPvXUFIigdjX8Dv; expires=Sat, 03 Dec 2022
09:35:06 GMT; HttpOnly; path=/; Domain=.*********.com
set-cookie: incap_ses_1446_2529166=QeIJS9/R7yVSIR8TdTkRFMxvqmEAAAAAQYZt7AYp0cZhHTK3mtNYFw==; path=/; Domain=.
*********.com
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Report-To: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=FBKOjvhJ4jaWfgywhx3%
2BHCxrtkPJWdHhVlZYWJjYSARG338t7NouCGUq68dAqkEzj0BTr75hlWR6CQKdN1XtCPtr0zmmR0Mk8%2BwKagwrXDw8kFL8tk5v9%
2Bc9doj5kxd5PTaf4gB37wXbSQ%3D%3D”}],“group”:“cf-nel”,“max_age”:604800}
NEL: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
Server: cloudflare
CF-RAY: 6b7f3264f94a7a9b-LAX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
Scan Results page 6

< script type="2026e191224b81ab5a396701-text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3">Request unsuccessful. Incapsula incident ID: 1446000130357399053-625919684518478665Allaire Spectra 1.0.1 admin directory detected on 443 port.
1 Like

Trying that now as well. Again this was crazy fast and thank you!

1 Like

The 123.123.123.123 should be replaced by your Origin IP address.

1 Like

Is your Origin actually Incapsula? They are saying unsuccessful, but returning a 200. Your PCI Scanner is seeing a 200 and that says the directory exists. It’s a false positive (probably).

1 Like

No, actually we switched over from sitelock (incapsula) to cloudflare. I gave it a few days before enabling cloudflare though.

Im running a pci scan now with the firewall rule in any case.

Thanks!

1 Like

Yet there’s still an incapsula cookie and an incapsula response. Any idea why?

No Idea. the Sitelock customer service is not really the best. I will try giving them a call to see what thats about.

1 Like

Their support are saying it seems to be a server Caching issue possibly. Waiting for the server company to respond.

The scan is still running so will let you all know the result of the scan as well.

1 Like

So an update to what happened.

When we turned of the SiteLock service, we left the DNS records pointing to them instead of our server company. The day Cloudflare was enabled, the DNS records were changed to cloudflare.
I gave the DNS 1 day to propagate before running the PCI Scan. It seems like that was not enough time as on cloudflare, it was still pointing to the sitelock IP for some reason. I fixed it to point it to our webs server directly and ran the scan again and it seemed to resolve the issue! Well for now anyways! Thank you for all your help!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.