I'm not sure where to start with this particular security issue, not even sure if it's a code and development related, db related, website config related, IIS setting related, or the machine itself.
Any hint from those who have experience is highly appreciated.
Seems https://www.tenable.com/plugins/nessus/43160 tells it is based on the response time which could generate false positive. Are you sure 100% you never ever build yourself any part of a SQL string ?
We're using Umbraco Form.
By SQL String do you mean using sql statement directly inside the application? No, we're using true Model, View , Controller and LINQ.
CGI Generic Command Execution (time-based)
Our recent PEN test has revealed penetration shortfall on the web server we run our Umbraco website. The description of the error is as below:
CGI Generic Command Execution (time-based)
https://www.tenable.com/plugins/nessus/44967
I'm not sure where to start with this particular security issue, not even sure if it's a code and development related, db related, website config related, IIS setting related, or the machine itself.
Any hint from those who have experience is highly appreciated.
Thanks Atoosa
It is web server related, nothing to do with Umbraco. Allowing CGI scripts is an IIS configuration setting.
Thanks. I've checked the CGI isn't even enabled on our server. Any other ideas?
are you using any custom forms on your umbraco site?
Seems https://www.tenable.com/plugins/nessus/43160 tells it is based on the response time which could generate false positive. Are you sure 100% you never ever build yourself any part of a SQL string ?
We're using Umbraco Form. By SQL String do you mean using sql statement directly inside the application? No, we're using true Model, View , Controller and LINQ.
Then it is probably not likely to an issue and is just a false positve
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.