Announcement

Collapse
No announcement yet.

Cross Site Scripting Security vulnerability

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Cross Site Scripting Security vulnerability

    Hello,

    We recently hired some consulting people to do a check on our site. They said we are vulnerable to XSS.
    The remote web application appears to be vulnerable to cross site scripting (XSS)
    This appears wherever SCREEN=ABCD is used as in
    Store_Code=001
    Action=ICST
    Order=0
    Screen=>"><script>alert(123)</script><"
    Customer_Login=0
    Customer_PasswordEmail=0
    Customer_Password=0

    Suggested fix was to make sure that inputs would be validated as characters A-Z a-z 0-9.
    How and where does one do that? DO I have to do it on every page?

    Thanks
    Sam
    Tags: None
    #2
    Re: Cross Site Scripting Security vulnerability

    First thing you should do is ensure all of your third party modules that have been added to the store are up to date. Many modules from nearly all the developers have been found to have XSS issues and all that are known have been resolved, so if you're not at the most current version of all of your add-on mods, just updating them to current will likely resolve the issue. Merchant 5 itself, in its current patch level, doesn't have any known XSS issues.
    David Hubbard
    CIO
    Miva
    [email protected]
    http://www.miva.com

    Comment

      #3
      Re: Cross Site Scripting Security vulnerability

      Thanks for response. The only thing I added recently was Miva Mailer 2.0 and a form associated with it. I will look there first, but I am a little confused. The vulnerability was found in the add new customer area, and maybe it is through the mailer form.

      Comment

        #4
        Re: Cross Site Scripting Security vulnerability

        Start by making sure you have the latest version of Merchant 5x (click on upgrade wizard in main admin screen). Also, if you have any 3rd party modules, make sure they are up to date.

        Contact Miva support as any vulnerabilities to the core Merchant should not be reported in a public forum. Let them handle the issues and make updates.
        Bill Weiland - Emporium Plus http://www.emporiumplus.com/store.mvc
        Online Documentation http://www.emporiumplus.com/tk3/v3/doc.htm
        Question http://www.emporiumplus.com/mivamodu...vc?Screen=SPTS
        Facebook http://www.facebook.com/EmporiumPlus
        Twitter http://twitter.com/emporiumplus

        Comment

          #5
          Re: Cross Site Scripting Security vulnerability

          May not necessarily be a recent add, if you have any third party add-ons you should go through them all. The output that your consultant sent you is in the exact same format, and using the exact same variables, as ScanAlert uses to do XSS tests as part of their HackerSafe service, so they probably just used a ScanAlert account to scan your site to get that data and ScanAlert has found all the known XSS issues which have all been fixed, so I still think it's probably a mod you have in there that needs updating. I don't think Miva Mailer has seen any changes for a while so I don't think that's the source.

          Since this is occurring on a custom screen, it is possible that it's not a module and is just a coding error in the code for the ABCD screen but I'd still check the mods first.
          David Hubbard
          CIO
          Miva
          [email protected]
          http://www.miva.com

          Comment

            #6
            Re: Cross Site Scripting Security vulnerability

            Make sure there is an "e" on that "&mvt" in the store code hidden form field:
            Code:
            <input type="hidden" name="Store_Code" value="&mvte:global:Store_Code;">

            Comment

            Previous template Next
            Working...
            X