Results 1 to 7 of 7
  1. #1
    Join Date
    Jun 2012
    Posts
    8
    Plugin Contributions
    0

    Default PCI scan - "allows cross site scripting"

    I'm new to Zen Cart and about to launch a new webstore using version 1.3.9h. After undergoing a PCI compliance scan, I'm having problems solving the following vulnerability:

    Description: Web server allows cross-site scripting Severity: Area of Concern Impact: A malicious web site could cause arbitrary commands to run on a client through a specially crafted link to the vulnerable server. In some cases, this could result in the compromise of the client's cookies, leading to unauthorized access to web applications.

    The scan results suggested creating a custom 404 page which I did via the 'Define Pages Editor' and adding

    # Specify 404 Error page
    ErrorDocument 404 /PAGE_NOT_FOUND

    to the .htaccess file.

    This didn't resolve it. Any help would be greatly appreciated!

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: PCI scan - "allows cross site scripting"

    The ErrorDocument directive you posted will definitely not work.

    Need to know the full details about the alleged cross-site-scripting vulnerability. The generic description you posted doesn't help with finding any correct resolution.

    And the generic suggestion of a custom 404 page is just a bandage, and almost certainly wouldn't fix the real issue. But, without complete details of the alleged problem, we can't offer you any real fixes either.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Jun 2012
    Posts
    8
    Plugin Contributions
    0

    Default Re: PCI scan - "allows cross site scripting"

    I just received the below details and also forgot to add that I use the CEON URI Mapping plugin. I can provide my website if it is really needed.

    The following pages are the ones that the cross site scripting issues were flagged on

    /Shelving_Brackets_Hooks/Hooks/Hook_Eyes

    /forum_members.asp?

    /modules.php?letter=

    /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id _cat=1&categories=

    /myphpnuke/links.php?op=MostPopular&ratenum=

    /phpimageview.php?pic=

    /index.php

    Cross-site scripting is exiting out of the host's script by bypassing the HTML exit and inserting one's own HTML script with it's own exit or end tag. Cross-site scripting occurs because of the failure to sanitize against special characters. This enables a hacker to insert their own strings of HTML.

    Solution: Sanitize all user input fields and sanitize against curl to not allow tags or special charachters, ie <>()

    If the site sanitizes for these characters, that means that it will ignore them and not allow cross-site scripting to happen. Contact Vendor.

    Lets consider sanitization.

    Examples of Unacceptable Sanitization
    If you turn the HTML character into the characters on the right, this is not true sanitization.

    '---------%27
    “--------%22
    %-------%25
    &-------%26
    ( ------- %28
    )---------%29
    /---------%2F
    =--------%3D
    <--------%3C
    >--------%3E

    Examples of Acceptable Sanitization
    If you turn the HTML character into the characters on the right, this is true sanitization.


    '--------&#39
    "-------&#34
    %------&#37
    &-------&#38
    (---------&#40
    )---------&#41
    /---------&#47
    =--------&#61
    <--------&#60
    >--------&#62

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: PCI scan - "allows cross site scripting"

    Quote Originally Posted by Amyne View Post
    /forum_members.asp?

    /modules.php?letter=

    /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id _cat=1&categories=

    /myphpnuke/links.php?op=MostPopular&ratenum=

    /phpimageview.php?pic=
    None of those have anything to do with Zen Cart.

    Can't comment on the other two without seeing the specific proof-of-concept (what they sent and what they got back).

    Also, turn off the URI Mapping addon temporarily and test again.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Apr 2006
    Location
    West Salem, IL
    Posts
    2,739
    Plugin Contributions
    0

    Default Re: PCI scan - "allows cross site scripting"

    Have the host check the mod security logs....sometimes these get through as false positives because what the scanners sends one time is dealt with by mod_security before the cart sees it and other times it doesn't trip mod_security and the cart sanitizes and sends them to the page not found.....its the difference in response headers that gives them a fit....What I have done to get around that problem is whitelist the particular rule in mod_sec they trip over so that the cart gets all of the requests, santizes, and they get consistent response headers.
    Mike
    GeekHost - Zen Cart Certified & PCI Compliant Hosting
    The Zen Cart Forum...Better than a monitor covered with post-it notes!

  6. #6
    Join Date
    Jun 2012
    Posts
    8
    Plugin Contributions
    0

    Default Re: PCI scan - "allows cross site scripting"

    Thanks for your help Dr. Byte & Barco57.
    After running another scan, it appears that the SEO plug-in was causing part of the problem and I'll have to deal with the others via my web host.

    I would really like to use static URL's and thus, try to apply the recommended sanitization format. Thus does anyone know how I can use this in CEON URI Mapping? (or should I post in the CEON Mapping thread).

    '--------&#39
    "-------&#34
    %------&#37
    &-------&#38
    (---------&#40
    )---------&#41
    /---------&#47
    =--------&#61
    <--------&#60
    >--------&#62

    Any help would be appreciated.

  7. #7
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: PCI scan - "allows cross site scripting"

    If you are having problems with a particular addon, yes you should be posting specific details to that addon's support thread. Be sure to explain the symptoms and logic which brought you to your present conclusion.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. v153 web program allows cross-site scripting in query string
    By RixStix in forum Upgrading to 1.5.x
    Replies: 1
    Last Post: 17 Aug 2014, 10:09 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR