Modifying RT 3.8.1 for PCI compliance

A quarterly vulnerability scan by our PCI Approved Scanning Vendor curiously discovered this vulnerability:

Description: Vulnerable Bugzilla version: 2 Severity: Critical Problem Impact: Multiple vulnerabilities could allow remote account hijacking, viewing of restricted data, unauthorized bug editing, SQL injection, cross-site scripting, security-bypass, or command execution. Background: Bugzilla is an open source bug tracking system written in Perl. Resolution [] Upgrade to Bugzilla 3.2.7, Bugzilla 3.4.7, Bugzilla 3.6.1, Bugzilla 3.7.2 or higher, or install the latest [] CVS snapshot. Vulnerability Details: Service: https Received: Distributed under version 2 of the GNU GPL.

I say “curious” because Bugzilla has never been installed on this machine. It is a single-purpose httpd server running RT and nothing else.

After some unhelpful back-and-forth with our ASV’s support e-mail alias, I looked closely at the text of the “Vulnerability Details,” which was just the statement of the GNU license under which RT (and Bugzilla, apparently) is distributed.  Taking a close look at the RT login page, I saw:

RT GNU distribution statementCould my ASV be interpreting that distribution statement as a false-positive for an insecure version of Bugzilla?  I know how to find out!

I logged into the RT server, made a backup of and then edited /opt/rt3/share/html/Elements/Footer, and removed the line:

<&|/l&>Distributed under version 2 <a href=""> of the GNU GPL.</a></&><br />

A re-scan of the site show it is now 100% Bugzilla free.  So there you go, a GPL statement is a Class 5 Vulnerability on the PCI scale, apparently.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s