Announcement

Collapse
No announcement yet.

McAfee Secure Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    McAfee Secure Vulnerability

    We have had McAfee Secure do an audit of our site and they have found a vulnerability as follows:

    Web Application Cross Site Scripting

    The remote web application appears to be vulnerable to cross-site scripting (XSS).

    The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without sanitizing user input.

    The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.

    The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.

    The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.

    When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.

    Ensure that parameters and user input are sanitized by doing the following:
    # Remove < input and replace with &lt;
    # Remove > input and replace with &gt;
    # Remove ' input and replace with &apos;
    # Remove " input and replace with &#x22;
    # Remove ) input and replace with &#x29;
    # Remove ( input and replace with &#x28;
    This problem was found in the files /cgi-bin/ss000005.pl and /cgi-bin/ca000005.pl

    If I'm honest this is beyond my capabilities to resolve. I guess they are recommending that the script changes these parameters to the html syntax.

    I am using 8.5.2.0.0.0.HMVA so I don't know if an updated perl script has already addressed this or not. Is there anyone who can point me in the right direction on solving this vulnerability?
    www.prolineskates.com

    #2
    Seemingly it is fixed in 8.5.3

    Comment


      #3
      Thanks mate, I guess I shall have to go ahead with the upgrade then

      May just go straight to v9 in that case.
      www.prolineskates.com

      Comment


        #4
        make sure its 903 then

        Comment


          #5
          Yeah will do.
          www.prolineskates.com

          Comment


            #6
            or perhaps wait until 904 is bedded in?
            Elysium:Online - Official Accredited SellerDeck Partner
            SellerDeck Design, Build, Hosting & Promotion
            Based in rural Northants

            Comment


              #7
              That's what I was waiting for but we are having a trial of McAfee Secure so that they can show us the number of converted visitors who saw the McAfee logo versus those that didn't.

              But first I need to be compliant before they show the logo!
              www.prolineskates.com

              Comment


                #8
                Damn, I have upgraded to 9.0.3 IMMA and McAffee is still reporting this issue
                www.prolineskates.com

                Comment

                Working...
                X