I ran a PCI scan and the WAN interfaces are both coming up as failed with the following:
Reason | The remote web server is affected by a cross site scripting vulnerability. |
PCI details | medium |
Port | 80 / tcp / www |
Host name | - |
Host OS | - |
Result URL : http: x . x . x . x .hfc.comcastbusiness.net/third_party/jquery/jquery-1.10.1.min.js Installed version : 1.10.1 Fixed version : 1.12.0 |
2. Web Server HTTP Header Information Disclosure
80 / tcp / www
Host OS | - |
Result Server type : lighttpd Server version : 1.4.39 Source : lighttpd/1.4.39 |
Solution | Modify the HTTP headers of the web server to not disclose detailed information about the underlying web server. |
Anyone know how to resolve these two issues??
I've searched with no answers.
Thanks
Doug
Solved! Go to solution.
AHHH HA...
I figured it out. (like I said this, is a completely new setup)
SO I went to the Firewall configuration page in my Meraki mgmt console / and I found under
Security appliance services: Web (local status & configuration) ANY / see screenshot
I changed it to None.. waited a minute and tested again...
BOOM! No More WAN Meraki web config page!!!
I hope this helps someone else in the future.
Thanks
Doug
This means you are NAT'ing port 80 on the WAN IP through to an internal server - and that server has the vulnerabilities.
Hello Phillip, thanks for taking time to respond.
When I put in the WAN IP's that are failing... the Meraki web interface comes up.
I have no NAT's no VPN .. it's a new install. I'm testing the PCI scans before I switch over to the new Meraki firewalls.
Is there a place to disable that somewhere??
Please advise/
Thanks
Doug
How could the Meraki web interface come up if you haven't switched over to them?
Is this some kind of internal scan you are running?
my sonicwalls are running production; I have setup all the new Meraki gear along side the current infrastructure, and configured the Meraki MX100 WAN ports using additional IP's we have.
I can hit that Meraki MX100 config webpages from the outside using the WAN IP and teamviewer from my home
no the PCI scan is from pcicompliancemanager . com
**MORE INFO**
I reviewed my MX100s and note: I have 2 MX100s in passive HA mode..
AHHH HA...
I figured it out. (like I said this, is a completely new setup)
SO I went to the Firewall configuration page in my Meraki mgmt console / and I found under
Security appliance services: Web (local status & configuration) ANY / see screenshot
I changed it to None.. waited a minute and tested again...
BOOM! No More WAN Meraki web config page!!!
I hope this helps someone else in the future.
Thanks
Doug
Hi Philip,
Even i'm facing the same issue as @DouggieFresh. I'm connected to my home broadband and when I try to http://<Meraki_Public_IP>/#connection , I can retrieve Hostname, Network Name, Hardware address(MAC), model, etc
Any help to overcome this vulnerability will be really helpful.
Thanks,
L
You do exactly what @DouggieFresh did, and go to Firewall configuration/Security Services and either disable the local status page or limit the IP addresses further than it can be accessed from.