I think that point was badly made by the site, they don't list what they did look at or how they deduced it, only that "it may" even though that same report later says no version string was sent as if that was a good thing. I guess this means "because you did as expected and did not send a version, we think it may be super old and could be bad but we can't tell".
I did not sign up to get a more detailed report, but from what I could see it was kind of a blunt report sweeping in broad terms, as presented. I'm sure PCI auditors would be glad to spend a lot of your money to look at the version and file a report taking days to write about how it actually seems ok, for now. 8-( Den ons 10 apr. 2019 kl 09:20 skrev Kihaguru Gathura <[email protected]>: > Hi, > > The message below refers. Has httpd met the particular requirement > 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration. > > "Requirement 6.5 > Fingerprinted versions of web software used on the website may contain > publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate > as soon as possible. > Misconfiguration or weakness" > > actual report here: > > https://www.htbridge.com/websec/?id=cGZfIatq > > Thanks, > > Kihaguru. > > -- May the most significant bit of your life be positive.
