ProductCart Shopping Cart Software Forums : PCI - Cross-Site Scripting https://forum.productcart.com/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Sat, 11 Apr 2026 00:51:09 +0000 Thu, 31 Jul 2014 12:24:42 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.04 360 https://forum.productcart.com/RSS_post_feed.asp?TID=5914 <![CDATA[ProductCart Shopping Cart Software Forums]]> https://forum.productcart.com/forum_images/pc_logo_50.png https://forum.productcart.com/ <![CDATA[PCI - Cross-Site Scripting : We&#039;re running 4.5bMs SP 1.The...]]> https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22160.html#22160 Author: steverguy
Subject: 5914
Posted: 31-July-2014 at 12:24pm

We're running 4.5bMs SP 1.

The PCI vendor is Control Scan

We're hoping to upgrade to 5.0 in the next couple of months, but we have a lot of customized code (not on viewcategories.asp) -  so we haven't jumped to 4.7 yet.
]]> Thu, 31 Jul 2014 12:24:42 +0000 https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22160.html#22160 <![CDATA[PCI - Cross-Site Scripting : PCI scans are a total moving target....]]> https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22159.html#22159 Author: Greg Dinger
Subject: 5914
Posted: 31-July-2014 at 12:20pm

PCI scans are a total moving target.  You never know what they are going to scan for next.

What PCI vendor was this please?  And what version are you running?


]]> Thu, 31 Jul 2014 12:20:08 +0000 https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22159.html#22159 <![CDATA[PCI - Cross-Site Scripting : Yeah, I&#039;m not sure why we&#039;ve...]]> https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22158.html#22158 Author: steverguy
Subject: 5914
Posted: 31-July-2014 at 12:17pm

Yeah, I'm not sure why we've passed all this time and are just failing now.   I'll submit a ticket and see what the peeps at NSC say.  Thanks for your quick reply!

Edited by steverguy - 31-July-2014 at 12:18pm]]> Thu, 31 Jul 2014 12:17:45 +0000 https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22158.html#22158 <![CDATA[PCI - Cross-Site Scripting : I believe this is a known issue,...]]> https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22157.html#22157 Author: Greg Dinger
Subject: 5914
Posted: 31-July-2014 at 12:15pm

I believe this is a known issue, that NSC has been able to argue successfully against the veracity of some of these vulnerability claims, and are working on 4.7 SP1 in order to address the remaining concerns.  Cedric may want to respond in greater detail.  I'd like to know what PCI compliance company this came from, and suggest that you do submit it to support.]]> Thu, 31 Jul 2014 12:15:28 +0000 https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22157.html#22157 <![CDATA[PCI - Cross-Site Scripting : I got an PCI failure for Cross-Site...]]> https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22156.html#22156 Author: steverguy
Subject: 5914
Posted: 31-July-2014 at 12:09pm

I got an PCI failure for Cross-Site Scripting vulnerability during our scan yesterday.  It was on viewcategories.asp - a page I haven't done any customization on.

It appears that they (the PCI company) test by adding a small javascript alert funtion to the querystring.  When I test this using the exact url they use, I get a techerr.asp page, and the error gets logged to the database.  The script doesn't get run as far as I can tell (no alert box popped up), but the error that's logged is a type=mismatch.

Is this how ProductCart should respond to such an attack?

I didn't want to submit a support ticket if this is the way it's supposed to work.

Thanks!


]]> Thu, 31 Jul 2014 12:09:35 +0000 https://forum.productcart.com/pci-crosssite-scripting_topic5914_post22156.html#22156