What to do when somebody labels your site a security threat?

[corbyboy]

An old version of one of my scripts has an SQL vulnerability. It has been known about for years and was patched ages ago.

Unfortunately it is listed one one of those security databases that seems to get syndicated over hundreds of sites. This means that details of the vulnerability are everywhere.

Somebody who runs the script has received an email from McAfee while they were scanning his site for PCI compliance. They pointed this vulnerability out to him. Even they didn't seem to notice that this was patched ages and ages ago.

I really don't like details like this spread all over the Internet.

Is there anything I can do about it? Nobody ever seems to give you an opportunity to put your side of the story forward.

[Mittineague]

Have you contacted McAfee?

[corbyboy]

Have you contacted McAfee?

Yes, but got no reply after 2 weeks.

[Mittineague]

I guess you could include something with the script informing users that they may get a security alert saying "whatever" and that they can safely ignore it. But that won't help much for those that find the misinformation and decide to not try the script.

I don't know what a legally "reasonable" amount of time for a response and corrective action would be, but if you are suffering "damages" maybe filing a legal action would get more attention.

[TheRedDevil]

PCI Compliance is a security check of the server/websites that has to be performed if your dealing with creditcard payments.

Nothing in the scan is "certain", which is why you are able to give information back to the company doing the scan on the issues they found, as there is a lot of false positives.

In your case, is it possible that the client was using a old version of the script, or that there for example were no version number etc? Some of the software they use to scan also try sql injections, so its even possible there is still an unsolved issue in the script.

For issues like this, sending them an email is not the answer. Call them and speak to a supervisor, only then will you get to someone that can answer your questions regarding why your script is on their security problems list.

[Jonathan Kinney]

A patched script does not always increment the reported version number. Often the companies that scan websites for vulnerabilities do not take that into account. Though the practicality of this may be in question, it would be so much more useful to have a mention of the version number, but then have an actual test to see if it is exploitable be done, and if it is exploitable, then that is a critical alert. I do know that the intelligence of many security scanning services is very minimal, and as mentioned, result in many false positives. You may want to consider changing the version number, or appending it with something so that it is not the same as the version detected as being known exploitable. Then again, if at all possible, I would suggest that you use a newer version altogether, and just go through the steps to get it upgraded, or use something else in its place. If you are using an old patched version of something, there may be other exploits found that apply, but are hard to track unless you are running an updated version.

[bizcare]

is McAfee the only AV company picking this up?