One of our clients has recently run into a problem with their scanning company, whereby a pre-existing vulnerability has been upgraded to a serious threat, which is causing Able to fail the PCI-DSS scan. Specifically, the vulnerability is with the ValidateRequest feature of ASP (see here, from 2008
The scanning company has agreed with our diagnosis; there is no fix for this on a site running .NET 2/3/3.5 on Server 2003. They've therefore explained that they'll listen to the argument: Our site is not vulnerable because... And this is where I was hoping for some advice from an Able expert!
Any pointers from anyone? Anyone come across this since the acquiring bank who requested this flaw be upgraded to serious did so in March? The scanning company admits they're talking to a lot of angry customers
because of this, so hopefully someone in the Able community has seen this.