The remote host is running CitrusDB, an open-source customer database application written in PHP. CitrusDB uses a textfile to temporarily store credit card information. This textfile is located in the web tree via a static URL and thus accessible to third parties. It also isn't deleted after processing resulting in a big window of opportunity for an attacker. Workaround : Either deny access to the file using access restriction features of the remote webserver or change CitrusDB to use a file outside the document root and not accessible via HTTP.

Update to CitrusDB version 0.3.6 or higher and set the option '$path_to_ccfile' in the configuration to a path not accessible via HTTP.