Technical Q&A

jaykappa · ‎09-01-2021

Hello Community,

We ran PCI scan and got this result and need to know what to answer for the false positive or comment (Web (443/tcp)):

Synopsis: The remote web server may contain some dangerous CGI scripts.

Description:

It is possible that the remote web server contains one or more dangerous CGI scripts.

Note that this plugin does not actually test for the underlying flaws but instead only searches for scripts with the same name as those with known vulnerabilities.

Any help on what we should respond:

PCI-Shawn · ‎09-01-2021

Hi jaykappa!

I have seen this before.

It looks like the ASV test requested the file register.cgi from the server. There is no register.cgi (or any CGI files) on the webserver. The Shopify webservers return content to pretty much every request to keep buyers on the website, no matter what URL they request.

This should be reported as an "INVALID FINDING" with the info above in the DESCRIPTION section.

Shawn.

To learn more visit the Shopify Help Center or the Community Blog.

View solution in original post

PCI-Shawn · ‎09-01-2021

Hi jaykappa!

I have seen this before.

It looks like the ASV test requested the file register.cgi from the server. There is no register.cgi (or any CGI files) on the webserver. The Shopify webservers return content to pretty much every request to keep buyers on the website, no matter what URL they request.

This should be reported as an "INVALID FINDING" with the info above in the DESCRIPTION section.

Shawn.

To learn more visit the Shopify Help Center or the Community Blog.

Technical Q&A

PCI Scan Vulnerability - Multiple Dangerous CGI Script Detection

Community Blog Articles

Shopify Community

Support

Shopify

Quick Links