Announcement

**Toby B** · 08-May-2007, 11:24 AM

Hi John,

Could you please provide a bit more info?

The URL posted is quite standard for Actinic. It's running the cart script for functions like adding to basket or viewing the cart.

This is the injection:

'")<iframe src="http://google.com"></iframe>

Where is this code coming from?

**purple** · 08-May-2007, 11:52 AM

Hi Toby

This is what Scanalert is finding and telling us proves the site is vulnerable to this type of attack. I can see this on our site with google content!! What I need to know is either how to explain to Scanalert that this is not an issue or how best to resolve this if it is.

http://www.oursite.com/cgi-bin/ss000...3C%2Fiframe%3E

**leehack** · 08-May-2007, 12:10 PM

Surely that is Google includes then not Actinic? None of the links you have provided show us anything. Have you got a live url so that we can see a problem page?

**kgeals** · 08-May-2007, 12:25 PM

To ensure google/other search egines don't index this page/script why don't you add it to the robots.txt file under Disallow:

ta,

Kevin.
www.herbsscotland.co.uk

**purple** · 08-May-2007, 12:37 PM

You can see the effect by (as I have done) by adding the following to an actinic site via the browser address bar, www.site.com plus text below, I just tried this on 4 sites picked at random and the same happened on each. Scanalert are therefore claiming tht this is a serious issue, trouble is I do not understand enough to dispute this if it is not an issue!

/cgi-bin/ss000001.pl?SECTIONID=%27%22%3E%3Ciframe+src%3D%22http%3A%2F%2Fgoogle.com%22%3E%3C%2Fiframe%3E

**RuralWeb** · 08-May-2007, 12:49 PM

Read all about it here http://en.wikipedia.org/wiki/Cross_site_scripting

**mark0x** · 08-May-2007, 12:49 PM

It is an XSS issue, you can fix it by adding the following to actinic.pm:

find this:

Code:

($value =~ /\<script(\s*?|\s.*?)\>.+?/si))) || # reject <script>* and <script *>*

change it to this:

Code:

($value =~ /\<script(\s*?|\s.*?)\>.+?/si) ||
($value =~ /\<iframe(\s*?|\s.*?)\>.+?/si)))

although this is not really a great fix as other elements can be used for XSS such as img, etc.

**mark0x** · 08-May-2007, 12:59 PM

I forgot to mention, v8.5 is also vulnerable

**RuralWeb** · 08-May-2007, 01:04 PM

Its been arround for a while http://xforce.iss.net/xforce/xfdb/8180

**purple** · 10-May-2007, 01:20 PM

Thanks to all for help. I have amended as Mark0x suggested and the alerts are still suggesting that ss000001.pl, bb000001.pl & ca000001.pl are vulnerable with the same issue. I have also raised with Actinic and am rather frustrated at the lack of response other than suggesting upgrading to v7.07 but not confirming the issue exists or has even been resolved in V8 onwards.

**Bruce** · 11-May-2007, 01:46 PM

John,

The issue does exist in v7 and has been sorted with v8.0.4 and above.

Kind regards,

**purple** · 08-Jun-2007, 10:47 AM

Hi Bruce

We have upgraded to v851 and I can confirm the issues have not been resolved!

**keyboardsleeper** · 28-Aug-2007, 08:35 PM

Cross Site Scripting (XSS)

Has anyone found a proper solution for this in v7 ?
We do not want to upgrade to a new version, we want to resolve it in v7.

This is a serious issue and should have been addressed.
Ecommerce and security are the same thing.

We have just started ScanAlert (because it increase sales).
However, this error now prevents us from displaying their logo and getting any benefit.

**NormanRouxel** · 29-Aug-2007, 05:45 AM

and has been sorted with v8.0.4 and above

With 8.5.1.0.0.0.HFUA I can still do e.g.

http://www.mysite.com/cgi-bin/ca000001.pl?<script>alert(unescape(document.cookie))</script>

Or shop on the Actinic demo site then try

http://www.actinic.co.uk/cgi-bin/ca0...kie))</script>

Note to Actinic: Delete this post if you wish.

Announcement

Cross Site Scripting issue?

Cross Site Scripting issue?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment