Hi All,
Running ZC 1.5.5e on PHP 7
Have just complete the first PCI scan since upgrading from 1.5.1. I have a scan fail message
Integer based SQL injection vulnerability in search_in_description parameter to /index.php?main_page=advanced_search_result
I haven't been able to find a solution for this in the ZC forum anywhere and I can also not find a list of patches. Any help is greatly appreciated.
Thank you,
John
Thread: PCI Scan Fail
Results 1 to 5 of 5
-
15 Jan 2018, 01:39 AM #1
Totally Zenned
- Join Date
- Feb 2007
- Location
- Pennsylvania
- Posts
- 806
- Plugin Contributions
- 0
PCI Scan Fail
-
15 Jan 2018, 03:36 AM #2
Sensei
- Join Date
- Jan 2004
- Posts
- 66,373
- Blog Entries
- 7
- Plugin Contributions
- 274
Re: PCI Scan Fail
I wonder if they're giving a false-positive because the actual searched keywords (granted, after being sanitized) are output to the screen with breadcrumbs?
Can you post the actual proof-of-problem details?
It's really hard to support without the details of what they say is the actual test and the results proving that there is an alleged vulnerability..
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
-
15 Jan 2018, 03:51 AM #3
Totally Zenned
- Join Date
- Feb 2007
- Location
- Pennsylvania
- Posts
- 806
- Plugin Contributions
- 0
Re: PCI Scan Fail
That's all I have available. As I've hopefully resolved another issue I ran a new scan and that didn't appear the second time. Not sure why their system wouldn't have tested that the second time.
Thanks for getting back to me so quickly.
John
-
16 Jan 2018, 07:11 AM #4
Totally Zenned
- Join Date
- Feb 2007
- Location
- Pennsylvania
- Posts
- 806
- Plugin Contributions
- 0
Re: PCI Scan Fail
well that must have been a false positive because I've had to run the scan two more times and that didn't reappear for either of them.
Still looking for that thread of patches though...
Thanks again,
John
-
16 Jan 2018, 06:18 PM #5
Sensei
- Join Date
- Jan 2004
- Posts
- 66,373
- Blog Entries
- 7
- Plugin Contributions
- 274
Re: PCI Scan Fail
Please explain what you mean.
Originally Posted by bumba000
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Reply With Quote
Similar Threads
-
v139h PCI scan failure
By KeithZ in forum General QuestionsReplies: 2Last Post: 31 May 2012, 01:38 AM -
PCI Scan fail due to mailman form
By Natty in forum General QuestionsReplies: 5Last Post: 4 Sep 2010, 03:21 PM -
PCI Scans - patch to handle low-priority warnings on search screen causing scan fail
By DrByte in forum Zen Cart Release AnnouncementsReplies: 1Last Post: 19 Nov 2009, 10:36 PM
Bookmarks