PCI - Cross-Site Scripting

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   I got an PCI failure for Cross-Site Scripting vulnerability during our scan yesterday.  It was on viewcategories.asp - a page I haven't done any customization on.
It appears that they (the PCI company) test by adding a small javascript alert funtion to the querystring.  When I test this using the exact url they use, I get a techerr.asp page, and the error gets logged to the database.  The script doesn't get run as far as I can tell (no alert box popped up), but the error that's logged is a type=mismatch.

Is this how ProductCart should respond to such an attack?

I didn't want to submit a support ticket if this is the way it's supposed to work.

Thanks!

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
steverguy Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 05-April-2006 Location: United States Status: Offline Points: 44	Post Options Post Reply Quote steverguy Report Post Thanks(0) Quote Reply Topic: PCI - Cross-Site Scripting Posted: 31-July-2014 at 12:09pm
	I got an PCI failure for Cross-Site Scripting vulnerability during our scan yesterday. It was on viewcategories.asp - a page I haven't done any customization on. It appears that they (the PCI company) test by adding a small javascript alert funtion to the querystring. When I test this using the exact url they use, I get a techerr.asp page, and the error gets logged to the database. The script doesn't get run as far as I can tell (no alert box popped up), but the error that's logged is a type=mismatch. Is this how ProductCart should respond to such an attack? I didn't want to submit a support ticket if this is the way it's supposed to work. Thanks!
	"Remember, 72.5% of all statistics are made up."

Greg Dinger Members Profile Send Private Message Find Members Posts Add to Buddy List Certified ProductCart Developers Joined: 23-September-2006 Location: United States Status: Offline Points: 238	Post Options Post Reply Quote Greg Dinger Report Post Thanks(1) Quote Reply Posted: 31-July-2014 at 12:15pm
	I believe this is a known issue, that NSC has been able to argue successfully against the veracity of some of these vulnerability claims, and are working on 4.7 SP1 in order to address the remaining concerns. Cedric may want to respond in greater detail. I'd like to know what PCI compliance company this came from, and suggest that you do submit it to support.

steverguy Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 05-April-2006 Location: United States Status: Offline Points: 44	Post Options Post Reply Quote steverguy Report Post Thanks(0) Quote Reply Posted: 31-July-2014 at 12:17pm
	Yeah, I'm not sure why we've passed all this time and are just failing now. I'll submit a ticket and see what the peeps at NSC say. Thanks for your quick reply! Edited by steverguy - 31-July-2014 at 12:18pm
	"Remember, 72.5% of all statistics are made up."

Greg Dinger Members Profile Send Private Message Find Members Posts Add to Buddy List Certified ProductCart Developers Joined: 23-September-2006 Location: United States Status: Offline Points: 238	Post Options Post Reply Quote Greg Dinger Report Post Thanks(0) Quote Reply Posted: 31-July-2014 at 12:20pm
	PCI scans are a total moving target. You never know what they are going to scan for next. What PCI vendor was this please? And what version are you running?

steverguy Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 05-April-2006 Location: United States Status: Offline Points: 44	Post Options Post Reply Quote steverguy Report Post Thanks(0) Quote Reply Posted: 31-July-2014 at 12:24pm
	We're running 4.5bMs SP 1. The PCI vendor is Control Scan We're hoping to upgrade to 5.0 in the next couple of months, but we have a lot of customized code (not on viewcategories.asp) - so we haven't jumped to 4.7 yet.
	"Remember, 72.5% of all statistics are made up."