Using ProductCart - PCI - Cross-Site Scripting

Print Page | Close Window

PCI - Cross-Site Scripting

Printed From: ProductCart E-Commerce Solutions
Category: ProductCart
Forum Name: Using ProductCart
Forum Description: Running your store with ProductCart
URL: https://forum.productcart.com/forum_posts.asp?TID=5914
Printed Date: 27-September-2024 at 11:14pm
Software Version: Web Wiz Forums 12.04 - http://www.webwizforums.com

Topic: PCI - Cross-Site Scripting

Posted By: steverguy
Subject: PCI - Cross-Site Scripting
Date Posted: 31-July-2014 at 12:09pm

I got an PCI failure for Cross-Site Scripting vulnerability during our scan yesterday. It was on viewcategories.asp - a page I haven't done any customization on.

It appears that they (the PCI company) test by adding a small javascript alert funtion to the querystring. When I test this using the exact url they use, I get a techerr.asp page, and the error gets logged to the database. The script doesn't get run as far as I can tell (no alert box popped up), but the error that's logged is a type=mismatch.

Is this how ProductCart should respond to such an attack?

I didn't want to submit a support ticket if this is the way it's supposed to work.

Thanks!

-------------
"Remember, 72.5% of all statistics are made up."

Replies:

Posted By: Greg Dinger
Date Posted: 31-July-2014 at 12:15pm

I believe this is a known issue, that NSC has been able to argue successfully against the veracity of some of these vulnerability claims, and are working on 4.7 SP1 in order to address the remaining concerns. Cedric may want to respond in greater detail. I'd like to know what PCI compliance company this came from, and suggest that you do submit it to support.

-------------
GreyBeard Design Group

Certified ProductCart Developer

Web Design/Development/Hosting

http://tinyurl.com/5c8t4t" rel="nofollow - Add-Ons & Custom Code |

Posted By: steverguy
Date Posted: 31-July-2014 at 12:17pm

Yeah, I'm not sure why we've passed all this time and are just failing now. I'll submit a ticket and see what the peeps at NSC say. Thanks for your quick reply!

-------------
"Remember, 72.5% of all statistics are made up."

Posted By: Greg Dinger
Date Posted: 31-July-2014 at 12:20pm

PCI scans are a total moving target. You never know what they are going to scan for next.

What PCI vendor was this please? And what version are you running?

-------------
GreyBeard Design Group

Certified ProductCart Developer

Web Design/Development/Hosting

http://tinyurl.com/5c8t4t" rel="nofollow - Add-Ons & Custom Code |

Posted By: steverguy
Date Posted: 31-July-2014 at 12:24pm

We're running 4.5bMs SP 1.

The PCI vendor is Control Scan

We're hoping to upgrade to 5.0 in the next couple of months, but we have a lot of customized code (not on viewcategories.asp) - so we haven't jumped to 4.7 yet.

-------------
"Remember, 72.5% of all statistics are made up."