On a CentOS LAMP box, a PCI compliance scan is failing on:
Apache Shiro URI Path Security Traversal Information Disclosure http/80
As far as I can tell the server doesn't have Shiro installed, unless it's built in to Apache. I can't find any trace of it from searching the server for shiro and shiro.ini.
What could cause the scanner to believe Shiro is intalled and potentially vulnerable? Nothing is exposed in the Server header or the ServerSignature.
If the report didn't provide the information, request details on exactly what request and response triggered the detection. It's hard to show that it's a false positive without being able to point out exactly what the flaw is in the scanner's detection logic - though it's pretty clear that it is a false positive, since Shiro isn't running.
Most often, this kind of false positive means that the response sent by the web server is not-quite-expected by the scanner - maybe your system is sending a response code of 200 or 30X when the scanner thinks it should send a 404, or maybe something in the content of a custom error document made the scanner think that it had successfully obtained information from traversal.
