cubes Posted November 28, 2012 Posted November 28, 2012 Hi. I've had a look through the forums but haven't been able to solve this yet. I installed security pro and have it working (tested with the search box) but securitymetrics still have a number of issues with OS commerce. The shop is running 2.2-MS2. One of the issues is below (the other 2-3 are similar), what's the best resolution for this? Would upgrading help? Any help is appreciated, thanks! Description: CGI Generic HTML Injections (quick test) Synopsis: The remote web server may be prone to HTML injections. Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings with malicious Javascript. By leveraging this issue, an attacker may be able to cause arbitrary HTML to be executed in a user's browser within the security context of the affected site. The remote web server may be vulnerable to IFRAME injections or cross- site scripting attacks : - IFRAME injections allow 'virtual defacement' that might scare or anger gullible users. Such injections are sometimes implemented for 'phishing' attacks. - XSS are extensively tested by four other scripts. - Some applications (e.g. web forums) authorize a subset of HTML without any ill effect. In this case, ignore this warning. See also : http://www.nessus.org/u?f8fdd645 Data Received: Using the POST HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to HTML injection : + The 'postcode' parameter of the /create_account.php CGI : /create_account.php [postcode=%00<<<<qwnkos%20>>>] -------- output -------- <tr> <td class="main">Post Code:</td> <td class="main"><input type="text" name="postcode" value="<<<<qwnkos >> >"> <span class="inputRequirement">*</span></td> </tr> <tr> ------------------------ + The 'dob' parameter of the /create_account.php CGI : /create_account.php [dob=%00<<<<qwnkos%20>>>] -------- output -------- <tr> <td class="main">Date of Birth:</td> <td class="main"><input type="text" name="dob" value="<<<<qwnkos >>>">&n bsp;<span class="inputRequirement">* (eg. 21/05/1970)</span></td> </tr> <tr> **more from create_account.php removed** + The 'email_address' parameter of the /password_forgotten.php CGI : /password_forgotten.php [email_address=%00<<<<qwnkos%20>>>] -------- output -------- </tr> <tr> <td class="main"><b>E-Mail Address:</b> <input type="text" name="email_a ddress" value="<<<<qwnkos >>>"></td> </tr> <tr> + The 'email_address' parameter of the /login.php CGI : /login.php [email_address=%00<<<<qwnkos%20>>>]-------- output -------- <tr> <td class="main"><b>E-Mail Address:</b></td> <td class="main"><input type="text" name="email_address" value="<<<<qwnk os >>>"></td> </tr> <tr> ------------------------ /login.php [osCsid=h7pb33446hcu9neoje9kbhpir6& amp;email_address=%00<<<<qwnko s%20>>>] -------- output -------- <tr> <td class="main"><b>E-Mail Address:</b></td> <td class="main"><input type="text" name="email_address" value="<<<<qwnk os >>>"></td> </tr> <tr> Other references : CWE:80, CWE:86 Resolution: Either restrict access to the vulnerable application or contact the vendor for an update. Risk Factor: Medium/ CVSS2 Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Guest Posted November 28, 2012 Posted November 28, 2012 @@cubes A completely NEW site is required but even then, you will have to change some things to be PCI DSS Compliant. Chris
cubes Posted December 3, 2012 Author Posted December 3, 2012 Thanks for the reply. So I can't just upgrade, it would require starting again from scratch with the latest version then adding on more security features? :(
Jack_mcs Posted December 3, 2012 Posted December 3, 2012 The PCI companies can only look at input and output. They change the url or enter some invalid data in one of the boxes and when they see that same result in the box, they assume their data was used and it report it as a failure. But the way the code works is that it strips the extra character and tries to use that result. If it is invalid, the original data is displayed. So, many times, such issues in PCI scans are not actual problems and false positives should be requested in those cases. But you need to be sure of each case, of course. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
cubes Posted December 12, 2012 Author Posted December 12, 2012 Thanks for the reply, I'll have a look into it.
cubes Posted December 19, 2012 Author Posted December 19, 2012 Just to add, installed and configured mod_security which seems to have removed attacks from the list of problems. :)
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.