Hi, today I got warning from PCI security scan company that my cs-cart site is not any more PCI compliant due to 2 issues:
CGI Generic SQL Injection (blind)
A CGI application hosted on the remote web server is potentially prone to SQL injection attack.
and
Web Application Information Disclosure
The remote web application discloses path information.
Did somebody got same warnings?
What is the name of the security company that ran the scan on your site? Just curious.
I did another scan test with other tool (Nessus essential). There were no issue there.
What is your conclusion? It looks like all is well, perhaps? I think if you are concerned you could hire manual auditing on your customised Cs-cart shop by some well known security firms, though I think it would cost a lot.
As for freshly installed Cs-cart, I wouldn’t worry much since Cs-cart works with security firms to make sure their software is clean and they often warn of any security issues they find and they provide a fix for free.
Also, I suggest you reach out to Cs-cart for advise.
After updating OS and correcting false positive issue (disclosing path information) my site is PCI compliant again. I got positive PCI scan report by PCI security specialist.