It is not clear from these messages what the complaint is. The messages seem to be about having detected a version of Websphere Application Server with a known security issue. They do not seem related to Roller. You should ask your auditors for clarification.
Also, at the end of these messages, there is a snippet of JSP code that may have been exposed because you have edited the index.jsp and introduced a syntax issue.
--a. On 9/8/11 3:31 PM, Joe Faith wrote:
Hi I'm using roller version 4.0.1 on tomcat 5.5.30 to run the blog on a small ecommerce site. We have been security scanned for PCI (credit card) accreditation, and this exposed the following issue. I'm not sure what the problem is here, or what the fix might be. Would upgrading to roller 5.0 help (I've been putting this off!) Any help would be gratefully received. thanks Joe fundraisingskills.co.uk -- we will need an explanation for the 200 OK. GET /news/index.jsp HTTP/1.0 Host: n0nex1st HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Tue, 06 Sep 2011 10:37:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=utf-8 Content-Length: 139127 Date: Wed, 07 Sep 2011 19:21:43 GMT Connection: close vulnerability report: TCP 443 https *5* Description: WebSphere JSP source disclosure in web document root 62-233-100-162.easydservers.com62.233.100 .162Linux 2.6.18 Sep 05 20:45:46 2011newSeverity: Area of Concern CVE: CVE-2005-1112<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1112> 5.01423new11Impact: Multiple vulnerabilities could allow a malicious user to crash the server, or obtain unauthorized access, or obtain sensitive information. Background: IBM WebSphere is e-business infrastructure software. One component of the WebSphere product line, WebSphere Application Server (WAS) is a Java-based environment for building e-business applications. Resolution WebSphere Application Server 7.0.x should be [http://www-01.ibm.com/support/docview.w ss?uid=swg27014463<http://www-01.ibm.com/support/docview.wss?uid=swg27014463>] upgraded to 7.0.0.15 or higher. WebSphere Application Server 6.1.x should be [http://www-01.ibm.com/support/docview.w ss?uid=swg27007951<http://www-01.ibm.com/support/docview.wss?uid=swg27007951>] upgraded to version 6.1.0.37 or higher. WebSphere Application Server 6.0.x should be [http://www-01.ibm.com/support/docview.w ss?uid=swg27006876<http://www-01.ibm.com/support/docview.wss?uid=swg27006876>] upgraded to version 6.0.2.43 or higher. WebSphere Application Server 5.1.x should be [http://www-1.ibm.com/support/docview.ws s?uid=swg27006879<http://www-1.ibm.com/support/docview.wss?uid=swg27006879>] upgraded to a version higher than 5.1.1.19. WebSphere Application Server 5.0 through 5.0.2.10 should be upgraded to version 5.0.2.11. Install [http://www-1.ibm.com/support/docview.ws s?rs=180&context=SSEQTP&q=PQ62144&uid=swg2 4001610<http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ62144&uid=swg24001610>] PQ62144 (supersedes PQ62249) for WebSphere 4.0.3 to remove the buffer overflow vulnerability, and move JSP files outside the document root of the web server. Install [http://www-1.ibm.com/support/docview.ws s?rs=180&context=SSEQTP&q=PQ81278&uid=swg2 4005943<http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ81278&uid=swg24005943>] PQ81278 for WebSphere 5.0 through 5.0.2.1 to remove the XML Attribute Parsing Denial of Service vulnerability. Vulnerability Details: Service: https Sent: GET /news/index.jsp HTTP/1.0 Host: n0nex1st Received: ?href="http://www.facebook.com/share.php ?u=<%=<http://www.facebook.com/share.php?u=%3C%25=> request.getRequestURL() %>" [Hide]
