ProductCart E-Commerce Solutions Homepage
Forum Home Forum Home > ProductCart > Using ProductCart
  New Posts New Posts RSS Feed - PCI - Cross-Site Scripting
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

PCI - Cross-Site Scripting

 Post Reply Post Reply
Author
Message
steverguy View Drop Down
Groupie
Groupie


Joined: 05-April-2006
Location: United States
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote steverguy Quote  Post ReplyReply Direct Link To This Post Topic: PCI - Cross-Site Scripting
    Posted: 31-July-2014 at 12:09pm
I got an PCI failure for Cross-Site Scripting vulnerability during our scan yesterday.  It was on viewcategories.asp - a page I haven't done any customization on.

It appears that they (the PCI company) test by adding a small javascript alert funtion to the querystring.  When I test this using the exact url they use, I get a techerr.asp page, and the error gets logged to the database.  The script doesn't get run as far as I can tell (no alert box popped up), but the error that's logged is a type=mismatch.

Is this how ProductCart should respond to such an attack?

I didn't want to submit a support ticket if this is the way it's supposed to work.

Thanks!


"Remember, 72.5% of all statistics are made up."
Back to Top
Greg Dinger View Drop Down
Certified ProductCart Developers
Certified ProductCart Developers
Avatar

Joined: 23-September-2006
Location: United States
Status: Offline
Points: 238
Post Options Post Options   Thanks (1) Thanks(1)   Quote Greg Dinger Quote  Post ReplyReply Direct Link To This Post Posted: 31-July-2014 at 12:15pm
I believe this is a known issue, that NSC has been able to argue successfully against the veracity of some of these vulnerability claims, and are working on 4.7 SP1 in order to address the remaining concerns.  Cedric may want to respond in greater detail.  I'd like to know what PCI compliance company this came from, and suggest that you do submit it to support.
Back to Top
steverguy View Drop Down
Groupie
Groupie


Joined: 05-April-2006
Location: United States
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote steverguy Quote  Post ReplyReply Direct Link To This Post Posted: 31-July-2014 at 12:17pm
Yeah, I'm not sure why we've passed all this time and are just failing now.   I'll submit a ticket and see what the peeps at NSC say.  Thanks for your quick reply!

Edited by steverguy - 31-July-2014 at 12:18pm
"Remember, 72.5% of all statistics are made up."
Back to Top
Greg Dinger View Drop Down
Certified ProductCart Developers
Certified ProductCart Developers
Avatar

Joined: 23-September-2006
Location: United States
Status: Offline
Points: 238
Post Options Post Options   Thanks (0) Thanks(0)   Quote Greg Dinger Quote  Post ReplyReply Direct Link To This Post Posted: 31-July-2014 at 12:20pm

PCI scans are a total moving target.  You never know what they are going to scan for next.

What PCI vendor was this please?  And what version are you running?


Back to Top
steverguy View Drop Down
Groupie
Groupie


Joined: 05-April-2006
Location: United States
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote steverguy Quote  Post ReplyReply Direct Link To This Post Posted: 31-July-2014 at 12:24pm
We're running 4.5bMs SP 1.

The PCI vendor is Control Scan

We're hoping to upgrade to 5.0 in the next couple of months, but we have a lot of customized code (not on viewcategories.asp) -  so we haven't jumped to 4.7 yet.
"Remember, 72.5% of all statistics are made up."
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.04
Copyright ©2001-2021 Web Wiz Ltd.

This page was generated in 0.094 seconds.