| Shopping Cart Software e-Commerce Forums > BV Commerce 5 > BV Commerce 5 Technical Questions > Contact Us page and Cross-site scripting | Forum Quick Jump
|
 | 
Bryan
Enterprise Member
      
Date Joined Jan 2005
Total Posts : 778
| Posted 7/28/2010 11:54 AM (GMT -4) |   | | Im not exactly sure about that page itself, but BV5 SP7 is PCI compliant. You should check out in updating to that version. | | Back to Top | | |
|
Kaye
Registered Member
Date Joined Apr 2010
Total Posts : 3
| Posted 7/28/2010 1:05 PM (GMT -4) | | | Unfortunately we inherited this site and it has been highly customized - probably over 65%, so it is not possible to upgrade. Any suggestions on how to make this page in this version safe against cross-site scripting? Any suggestions would be helpful. | | Back to Top | | |
|
Kay
Registered Member
Date Joined Jan 2010
Total Posts : 5
| Posted 7/29/2010 1:12 PM (GMT -4) | | None of the backoffice has been customized so the policy pages are intact. The PCI compliance scan is sending <script> tags to the form fields for the test. If we uncheckmark the enable contact form to remove the user input fields, the site passes the scan, so it is only the user input fields on this form that are not passing the scan. We are receiving the following error:
This is a generic warning based on a test that indicates that your web
> application may not validate user-provided input, such as that
> provided by a form. Review your web application to ensure that user
> data is checked on the server side of the application (NOT in the web
> browser) for proper length and character content. It is recommended
> that a white-list of acceptable characters be used, with all other
> characters being HTML encoded prior to being sent in response to the client.
> Review the "Cross-Site scripting", "Data Validation", and "Review Code
> for Cross-site scripting" pages on OWASP.org (see the reference links
> in this finding).
We see no way in this form to determine field length or character content. Has this been changed in a later verion and is this version of BV open to XSS attacks for this form? Any suggestions on how to correct this would be helpful. | | Back to Top | | |
|
Kay
Registered Member
Date Joined Jan 2010
Total Posts : 5
| Posted 7/30/2010 1:12 PM (GMT -4) | | They are stating that this page (Contact Us with the form fields) is vulnerable to XSS attacks and cannot be disputed. Is this version of BV supposed to be protecting agains XSS attacks? Here is what they are testing. Any suggestions would be helpful. Thanks.
Cross-Site scripting (XSS)
Cross-site scripting is a term used to describe problems which arise
when maliciously crafted user data causes a web application to redirect
an unsuspecting web browser to an undesired site. It was
possible to send strings with special HTML characters ( < > " ' )
to your web application, and see them rendered in the response.
Since these characters were not encoded by the web application,
it may be possible to inject HTML scripting code into the rendered
page. The injections can occur in your HTML body, Title, scripting,
or even commented out portions of the document. Note: Due to the
potential negative impact on this web server's resources that could
result from attacking a large number of cross-site scripting attack
vectors, TrustKeeper abandons this test after it has found at least three
instances where user input is not being properly sanitized. Therefore,
it is possible that the reported findings associated with this vulnerability
are only a subset of all possible attack vectors.
Note: All Cross-Site scripting vulnerabilities are considered noncompliant
by PCI.
Service: (80) Microsoft-IIS/6.0
Evidence:
• HTTP Request Mode: GET
• HTTP Status Code: 200
• Test Input String: %3Cscript%20%3Ealert%28%27test
%27%29%3B%3C%2Fscript%20%3E
• Search Pattern: <script >alert('test');</script >
• Pattern Match: <script >alert('test');</script >
• Vulnerable Parameter: policyid
• Vulnerable Parameter: linktext
• Vulnerable Parameter: columnname
• HTTP Request Mode: GET
• HTTP Status Code: 200
• Test Input String: %22%3E%27%3E%3CIfRaME%3E
• Search Pattern: (?i)">'><IfRaME>
• Pattern Match: ">'><IfRaME>
Vulnerable Parameter: policyid
• Vulnerable Parameter: linktext
• Vulnerable Parameter: columnname | | Back to Top | | |
| Forum Information | Currently it is Wednesday, September 08, 2010 11:39 PM (GMT -4)
There are a total of 57,382 posts in 12,471 threads.
In the last 3 days there were 2 new threads and 19 reply posts. View Active Threads
| | Who's Online | 13 Guest(s), 0 Registered Member(s) are currently online. Details
|
Forum powered by dotNetBB 3.0 Alpha
dotNetBB © 2000-2010
2003-2009 - BV Software LLC |
|
|