This finding is due to a test where SecurityMetrics applies a tilde (~) at the end of a URL. SecurityMetrics performs this test because some programs automatically generate backups of files and apply a suffix such as a tilde to the backup filename. The SecurityMetrics test expects a compliant website to display a 404 Webpage Not Found error and assumes any other page to be a saved backup file. However, when the SecurityMetrics test is performed with the "friendly" URL functionality provided by Blackbaud NetCommunity, rather than a 404 error, your website displays the website that is configured to appear in the case of an incorrect entry of a friendly URL. This approach is to help retain the user visit to your website, and SecurityMetrics is aware of the functionality.
This is further explained in Helping You Comply with PCI DSS: An Overview of the SecurityMetrics Vulnerability Solution.
If your Blackbaud NetCommunity site is not hosted by Blackbaud, SecurityMetrics requires additional compliance and a statement from you. This is discussed in detail in Helping You Comply with PCI DSS: An Overview of the SecurityMetrics Vulnerability Solution along with a sample statement to provide to SecurityMetrics.
If Blackbaud Hosting Services hosts your Blackbaud NetCommunity database, then Blackbaud has provided a complete and current list of hosted clients who are using IATS as their merchant account provider, including a statement to SecurityMetrics attesting on your behalf about this vulnerability. You may contact SecurityMetrics to further discuss this scan and the progress on the list that we have provided to them.
In either case, FirstData, the processor used by IATS, currently assesses a fine of $19.95 per month for every month an organization is found to be non-compliant. SecurityMetrics cannot refund your fine but will explain the situation to FirstData on your behalf. Please contact Security Metrics for further assistance:
Connect and collaborate with fellow Blackbaud users.