PCI Compliance failure with v2.2.5

After running multiple scans, I keep coming up with these failures. I think they’re false positives, but I want to be sure.

Title: web program lists arbitrary directories (FsPHPGallery) Impact: A remote attacker could gain sensitive information from the web server, possibly including configuration information, physical path names, or account names. This information could help the attacker plan a successful intrusion. Data Sent: GET /index.php?dir=CVS/…/…/…/…/…/… HTTP/1.0 Host: celletech.com User-Agent: Mozilla/4.0 Connection: Keep-alive Data Received: SFmB5AVTgc9q8+VOVrpmvOkPjkJTdFgoDyR3rB4icdGDir6kqzMW3HAHoaPrV3e4uRJWJ1mQ 7RkZ6g1ssQtjJwYiSBGLlgAPU1Kr8jumOSurHPat8RNL08vHbbr2ccERHCA+7Hj8s17GFhVq K9rHLUUVuzzTxN4w1TXHZZrgx2va3iJC/ieN3416lLBJay1ZyzxFvhOZe4kIwHKj0Ciu1U0j B1WyBmlP3Wic+jZU/nzVWaJumRG8EbhLhZLd24Hmfdb6N0NF+4cr6CzWNtKT5kZgkPSWLj8x 0NTKKkioycXqZ2oaa8SBpUWZf4ZouD/APWPtXM6UoO8GdaqxkrSRp6I19HCvkTm5XHzQT8nH saz+vKErVNPMr6m5x5qevkXJUt73PkgwXI6wvx+Vd0ZqSujilBxdmZt4zsPnH7+MYBP8Q/un +lNomLsyPT5Qzho24PQV5+Lj7up6OEl72h1VhdedHhv9YvX396+eq0+V6bH0FGpzLXc04XOO etc0kdk And: DxwPTA+AD7AP5BAYEEwQgBC0EOwRIBFUEYwRxBH4EjASaBKgEtgTEBNME4Q TwBP4FDQUcBSsFOgVJBVgFZwV3BYYFlgWmBbUFxQXVBeUF9gYGBhYGJwY3BkgGWQZqBnsGjA adBq8GwAbRBuMG9QcHBxkHKwc9B08HYQd0B4YHmQesB78H0gflB/gICwgfCDIIRghaCG4Igg iWCKoIvgjSCOcI+wkQCSUJOglPCWQJeQmPCaQJugnPCeUJ+woRCicKPQpUCmoKgQqYCq4KxQ rcCvMLCwsiCzkLUQtpC4ALmAuwC8gL4Qv5DBIMKgxDDFwMdQyODKcMwAzZDPMNDQ0mDUANWg 10DY4NqQ3DDd4N+A4T Resolution: 11/08/04 CVE 2004-2222 The FsPHPGallery image gallery application allows users to browse image sub-folders specified by the dir input parameter. By including dot-dot-slash sequences in this parameter, a remote user can view a listing of any directory on the server. FsPHPGallery prior to 1.2 is affected by this vulnerability. Resolution: Upgrade to FsPHPGallery 1.2 or higher. Risk Factor: Medium/ CVSS2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE: CVE-2004-2222 BID: 11594

Title: vulnerable web program (iFoto) Impact: A remote attacker could execute arbitrary commands, create or overwrite files, or view files or directories on the web server. Data Sent: GET /index.php?dir=…/…/…/…/…/…/ HTTP/1.0 Host: celletech.com User- Agent: Mozilla/4.0 Connection: Keep-alive Data Received: DxwPTA+AD7AP5BAYEEwQgBC0EOwRIBFUEYwRxBH4EjASaBKgEtgTEBNME4QTwBP4FDQUcBSs FOgVJBVgFZwV3BYYFlgWmBbUFxQXVBeUF9gYGBhYGJwY3BkgGWQZqBnsGjAadBq8GwAbRBuM G9QcHBxkHKwc9B08HYQd0B4YHmQesB78H0gflB/gICwgfCDIIRghaCG4IggiWCKoIvgjSCOc I+wkQCSUJOglPCWQJeQmPCaQJugnPCeUJ+woRCicKPQpUCmoKgQqYCq4KxQrcCvMLCwsiCzk LUQtpC4ALmAuwC8gL4Qv5DBIMKgxDDFwMdQyODKcMwAzZDPMNDQ0mDUANWg10DY4NqQ3DDd4 N+A4TDi4OSQ5kDn8Omw62DtIO7g8JDyUPQQ9eD3oPlg+zD88P7BAJECYQQxBhEH4QmxC5ENc Q9RETETERTxFtEYwRqhHJEegSBxImEkUSZBKEEqMSwxLjEwMTIxNDE2MTgxOkE8UT5RQGFCc USRRqFI Resolution: 08/07/07 CVE 2007-4092 A directory traversal vulnerability in the index.php script in iFoto 1.0 allows remote attackers to view the contents of arbitrary directories by placing dot- dot-slash strings into the dir parameter. Resolution: Edit the source code of index.php to remove invalid characters from the dir parameter or apply a fix from the vendor when available. Risk Factor: Medium/ CVSS2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE: CVE-2007-4092 BID: 25065

The FsPHPGallery comes up for port 80, and the iFoto comes up for port 433. I’ve never heard of these programs until this scan. :(

I had PCI tests completed on one of my sites last week, passed with flying colours.

Do you have any 3rd party applications on your site, such as chat boxes, tracking codes, etc? Remove these and then scan again - you will find the scanner is most likely crawling the 3rd party URL and that is where these errors are coming from.