PCI Compliance Failure

[JonSkr]

We are failing trustwave's PCI compliance scan on the following issue

Apache HTTP Server prior to version 2.2.22 contains a vulnerability that could allow an attacker to discover HTTP-only cookies by making a request with an extremely long cookie header field. This could be performed by script running in a victim user's browser.

Byte Length of cookie sent: 8250
Received status code responce: 400
Response body contained: The reflected value of the cookie

Our plesk 11.0.9 (Update #19) server is running Centos 5.8 with Apache 2.2.8

we have tried using the version of apache from the centos repository (http://centos.alt.ru/repository/centos/5/i386/httpd-2.2.23-3.el5.i386.rpm) but due to version dependances this has not been allowed to be installed..

Can you advise how to get this system PCI compliant?

 

[Nikolay.]

Install Apache SNI component packaged by Parallels. IIRC, it has version 2.2.22.

 

[JonSkr]

Install Apache SNI component packaged by Parallels. IIRC, it has version 2.2.22.

I can't seem to find the code i need to do that with a search (unless that is /usr/local/psa/admin/sbin/autoinstaller --select-release-current --upgrade-installed-components which didn't do anything).. can you help with this please.

 

[Nikolay.]

Just launch Autoinstaller in text UI mode (just /usr/local/psa/admin/sbin/autoinstaller) and on a components selection screen find something like 'Apache with SNI support' and select it. Alternatively use something like "--install-component apache-sni".

Edit:

think i may have found something which will sort it here from the control panel:
http://kb.parallels.com/en/111714

Yes, of course you can use web-interface of Autoinstaller to do that as well

 

[JonSkr]

think i may have found something which will sort it here from the control panel:
http://kb.parallels.com/en/111714

 

[JonSkr]

cheers for your help nikolay

 

[Nikolay.]

You're welcome.