Security Questions on v4.7

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   I was recently contacted by a client that uses your system and has another party that regularly does Nessus vulnerability scans on their network/systems. This week then sent me some information and I verified that it was indeed valid -on their site. I was unable to reproduce the same result on your demo site which raises a few questions .  They said they are running a fully patched system and it is the latest version, but without access to their actual system I can not verify that for a fact yet. I'm hoping to get access to their system here shortly as well as the server it resides on.
The first issue that was detected was a SQL Injection/information disclosure vulnerability in the opc_OrderVerify.asp, and when I followed the steps in the report, I was indeed able to reproduce and get the results in the report. it dumped out a debug of the following (not posting the "how", just the results):

 SELECT payTypes.paymentDesc,
  customCardTypes.idcustomCardType FROM payTypes INNER JOIN customCardTypes ON
  payTypes.paymentDesc = customCardTypes.customCardDesc WHERE
  (((payTypes.idPayment)=123 or));

The second item was a XSS vulnerability in  the same file as well as the msgb.asp file (I won't post the details here either - you can msg me for that). 

I'm not an expert on ProductCart by any means - just security with a background in classic asp. What I would like to know is, is it possible there is a debug feature that needs to be turned off somewhere in one of the asp files (which I didn't see in the demo admin screens) and how could their site have a XSS vulnerability and the demo site not show the same behavior if they are running the same version? Server script/security settings possibly? Can you tell me anything else that might affect their system and make it act differently than your demo? Thanks in advance! 