How to remediate – PCI DSS Compliance – Information Leakage

1. Introduction

PCI DSS Compliance – Information Leakage means your systems are showing details that shouldn’t be publicly available, even though they don’t automatically fail a PCI scan. This matters because exposed information can help attackers plan attacks and compromise cardholder data. Web servers, applications handling payment data, and related infrastructure are usually affected. Impact is likely to be medium on confidentiality, low on integrity, and low on availability.

2. Technical Explanation

Information leakage happens when systems reveal unnecessary details about their configuration or operation. Attackers can use this information to identify vulnerabilities and gain access. The vulnerability exists because of insecure configurations or default settings. An attacker might find a backup file containing sensitive data, like database connection strings.

• Root cause: Detailed application error messages are enabled, exposing internal system details. Backup script files remain accessible. Include file source code is disclosed. Insecure HTTP methods (like PUT and DELETE) are allowed. WebDAV or FrontPage extensions are active. Default web server files are present. Testing pages exist on the server.
• Exploit mechanism: An attacker browses to a publicly accessible directory containing backup files, error messages, or testing pages. They then analyse these files for sensitive information like database credentials or internal network details. For example, accessing http://example.com/home.asp.bak might reveal old source code with hardcoded passwords.
• Scope: Web servers running IIS and Apache are commonly affected. Applications built using ASP, JSP, PHP, and other web technologies can also be vulnerable. Affected versions depend on the specific configuration of each system.

3. Detection and Assessment

Confirm vulnerability by checking for publicly accessible files or error messages. A quick check is to browse common file paths. Thorough assessment involves a detailed scan using an automated tool.

• Quick checks: Use a web browser to access URLs like http://example.com/phpinfo.html, http://example.com/test-cgi, and http://example.com/.git/config.
• Scanning: Nessus plugin ID 10423 can identify information leakage issues. OpenVAS also has relevant scans for web server misconfigurations. These are examples only; results may vary depending on scanner configuration.
• Logs and evidence: Check web server access logs for requests to unusual files or directories. Look for error messages containing sensitive data in application logs. Event IDs will depend on the specific web server software.

curl -I http://example.com/phpinfo.html

4. Solution / Remediation Steps

Fix the issue by removing unnecessary files and disabling insecure features. Ensure compliance with PCI DSS standards.

4.1 Preparation

• Dependencies: Access to web server configuration and file system is required. Roll back plan: Restore backups or revert snapshots if issues occur.
• Change window: Schedule downtime if necessary, especially for critical systems. Approval from the security team may be needed.

4.2 Implementation

1. Step 1: Remove backup files (e.g., home.asp.bak, index.jsp.old) from web server directories.
2. Step 2: Disable directory browsing in the web server configuration.
3. Step 3: Remove testing and diagnostics pages (e.g., phpinfo.html, test-cgi).
4. Step 4: Disable insecure HTTP methods (PUT, DELETE) if not required.
5. Step 5: Disable WebDAV or FrontPage extensions if not used.

4.3 Config or Code Example

Before

<Directory "C:/inetpub/wwwroot">
  Options Indexes FollowSymLinks
</Directory>

After

<Directory "C:/inetpub/wwwroot">
  Options FollowSymLinks
-Indexes 
</Directory>

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence.

• Practice 1: Least privilege – limit access to web server files and configuration to authorized personnel.
• Practice 2: Secure Defaults – ensure web servers are configured with the most restrictive settings by default.

4.5 Automation (Optional)

# PowerShell example to remove backup files
Get-ChildItem -Path "C:inetpubwwwroot" -Filter "*.bak" | Remove-Item -Force

5. Verification / Validation

Confirm the fix by checking that unnecessary files are removed and insecure features are disabled. Re-run earlier detection methods to verify the issue is resolved.

• Post-fix check: Use a web browser to access URLs like http://example.com/phpinfo.html, which should return a 404 error.
• Re-test: Re-run Nessus plugin ID 10423 or OpenVAS scans; the vulnerability should no longer be reported.
• Smoke test: Verify that core website functionality (e.g., browsing pages, submitting forms) still works as expected.
• Monitoring: Check web server access logs for any unexpected requests to sensitive files or directories.

curl -I http://example.com/phpinfo.html

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update security baselines or policies to include restrictions on file access and insecure configurations (e.g., CIS benchmarks).
• Asset and patch process: Implement a regular review cycle for web server configuration settings.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Removing legitimate files could cause website errors; restore backups if needed.
• Risk or side effect 2: Disabling features might break functionality; re-enable them if necessary.
• Roll back: Restore web server configuration from backup. Re-enable disabled features in the web server configuration. Restart affected web services.

8. References and Resources

• Vendor advisory or bulletin: https://www.pcisecuritystandards.org