FAILED PCI SCAN - Vulnerabilities found

Answer these questions to help the Community help you with Security questions.

What is the domain name?.

Have you searched for an answer?. Yes

Please share your search results url:. There were no answers to my specific question…

When you tested your domain, what were the results?. I didn’t test the domain, I did a PCI scan that keeps failing because they require Cloudflare “explanation”

Describe the issue you are having: I’m trying to pass my PCI scans but it won’t pass because of two vulnerabilities. 1 for firewall and 1 for web application. I was told I need to find out from you about these two items. I then will tell them what you say about them in order to pass this scan.

What error message or number are you receiving?

What steps have you taken to resolve the issue?

  1. These are my first steps. Apparently, they needs some words from Cloudflare.

Was the site working with SSL prior to adding it to Cloudflare?. The site is working fine, it’s just the scan issue because my Host company does not do PCI Compliance, I had to get my SSL certificate from Cloudflare in order to be compliant. I’ve had Cloudflare for some time and have passed previous years just fine. They’ve changed the scanning and now I have to figure out what the problem is and why the scan is not going through. So, please help me to tell them what then need to know so I can pass my scan.

What are the steps to reproduce the error:. If I redo the scan the results are the same.

Have you tried from another browser and/or incognito mode?. This is not applicable to this issue.

Please attach a screenshot of the error:
Just dragged and dropped it. Hope that worked.
There’s no way to upload it. I have the screenshot to send if needed.

May I ask if that was some kind of an online tool/service, or audit by someone in person? :thinking:

Was it only for HTTPS (hopefully) version of your Website?

Sharing results would be apprecaited, if so.

Thanks for sharing the screenshot.

Furthermore, I’d bet it has to be something with the TLS version or other settings which you could try to tune-up or modify (might depend on the plan type you’re using), resulting in a different end result.

The first entry is about traffic being sent to the server from a specific source port. It’s a false positive because they are scanning Cloudflare’s IP address, not your origin server, and the traffic is not passed through to your server.

The second entry, we’d need more information about what is being flagged. That may be an application-level thing that isn’t about Cloudflare.

1 Like

I use Clover merchant services and I access the manage the pci compliance (scans) through cardpointe.

Here is what I get when I click “Show More:”

Scanners like this will often yield false positives and should never really be used for any official reporting without some serious auditing and testing. They’re fine for a baseline, but they’re automated tools and will never be able to provide the nuance necessarily especially with something like PCI compliance.

What exactly do you believe to be an issue here that the scanner reported? Can you provide a proof of concept or more details? If there’s an actual PCI compliance issue here, I’d recommend you talk to someone on your team who can assist and validate this with you. Or if you’re an enterprise customer with Cloudflare, you can always reach out to your account team and get them to provide you with any compliance documents you may need.

1 Like

The detail view doesn’t specify what file they are flagging, but it’s something on your site or server. That part isn’t to do with your Cloudflare configuration.

I’d recommend having the scan run either (a) while Cloudflare is disabled on your site (by changing your DNS entires to :grey: unproxied; or (b) against the origin server’s actual IP address, not the Cloudflare address.

1 Like

I’m not sure what other information for the second entry that is required. I have no idea what to tell them in the comment section that would allow them to clear it.

I told them the first one was a false positive from what you said about the first one, and they cleared it. But they didn’t clear the second one. Could you tell what steps I need to take to or what to tell them about this file? I have no idea what steps to take, they are not helpful at all.

Also: They showed these urls:

Original URL is: Psychic Counseling - Cherry Sage - Real Psychic Readings by Phone | Accurate Phone Psychic | Honest Readings

matched: HTTP/1.1 200 OK

These are blog posts and I have not idea what vulnerability would be found for these urls

Typically, “Path-based vulnerability” means that the URL exposes a filesystem path that someone could use to access other files on your server.

But that URL (the one ending with /imports/) returns a 404 on your server, and I’m not even sure where they’re getting it from because I don’t see it in your HTML or CSS at all. So I have no idea what they’re saying is wrong.

OK, So, I’ll call them again but it seems they’re looking to me for answers as to why it’s scanning that. I will bring this to their attention and see what they say next. Thank you so much for your responses!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.