Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PCI Woes


cubes

Recommended Posts

Hi.

 

I've had a look through the forums but haven't been able to solve this yet.

 

I installed security pro and have it working (tested with the search box) but securitymetrics still have a number of issues with OS commerce.

 

The shop is running 2.2-MS2.

 

One of the issues is below (the other 2-3 are similar), what's the best resolution for this? Would upgrading help? Any help is appreciated, thanks!

 

Description: CGI Generic HTML Injections (quick test) Synopsis: The remote web server may be prone to HTML injections. Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious Javascript. By leveraging this issue, an attacker may be able to cause arbitrary HTML to be executed in a user's browser within the security context of the affected site. The remote web server may be vulnerable to IFRAME injections or cross- site scripting attacks : - IFRAME injections allow 'virtual defacement' that might scare or anger gullible users. Such injections are sometimes implemented for 'phishing' attacks. - XSS are extensively tested by four other scripts. - Some applications (e.g. web forums) authorize a subset of HTML without any ill effect. In this case, ignore this warning. See also : http://www.nessus.org/u?f8fdd645 Data Received:

 

Using the POST HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to HTML injection :

+ The 'postcode' parameter of the /create_account.php CGI : /create_account.php [postcode=%00<<<<qwnkos%20>>>] -------- output -------- <tr> <td class="main">Post Code:</td> <td class="main"><input type="text" name="postcode" value="<<<<qwnkos >> >"> <span class="inputRequirement">*</span></td> </tr> <tr> ------------------------

 

+ The 'dob' parameter of the /create_account.php CGI : /create_account.php [dob=%00<<<<qwnkos%20>>>] -------- output -------- <tr> <td class="main">Date of Birth:</td> <td class="main"><input type="text" name="dob" value="<<<<qwnkos >>>">&n bsp;<span class="inputRequirement">* (eg. 21/05/1970)</span></td> </tr> <tr>

 

**more from create_account.php removed**

 

+ The 'email_address' parameter of the /password_forgotten.php CGI : /password_forgotten.php [email_address=%00<<<<qwnkos%20>>>] -------- output -------- </tr> <tr> <td class="main"><b>E-Mail Address:</b> <input type="text" name="email_a ddress" value="<<<<qwnkos >>>"></td> </tr> <tr>

 

+ The 'email_address' parameter of the /login.php CGI : /login.php [email_address=%00<<<<qwnkos%20>>>]-------- output -------- <tr> <td class="main"><b>E-Mail Address:</b></td> <td class="main"><input type="text" name="email_address" value="<<<<qwnk os >>>"></td> </tr> <tr> ------------------------

 

/login.php [osCsid=h7pb33446hcu9neoje9kbhpir6& amp;email_address=%00<<<<qwnko s%20>>>] -------- output -------- <tr> <td class="main"><b>E-Mail Address:</b></td> <td class="main"><input type="text" name="email_address" value="<<<<qwnk os >>>"></td> </tr> <tr>

 

Other references : CWE:80, CWE:86 Resolution: Either restrict access to the vulnerable application or contact the vendor for an update. Risk Factor: Medium/ CVSS2 Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Link to comment
Share on other sites

The PCI companies can only look at input and output. They change the url or enter some invalid data in one of the boxes and when they see that same result in the box, they assume their data was used and it report it as a failure. But the way the code works is that it strips the extra character and tries to use that result. If it is invalid, the original data is displayed. So, many times, such issues in PCI scans are not actual problems and false positives should be requested in those cases. But you need to be sure of each case, of course.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...