Announcement
Collapse
No announcement yet.
Cross Site Scripting issue?
Collapse
X
-
Cross Site Scripting issues still in V9
Hi all,
I have just had the dreaded 'New Vulnerabilities Found' from Scanalert having uploaded our site in V9.0.0, which I thought was a long dead and buried issueJohn Sollars
MD at Stinkyink.Com
Ph 01746 781020
Fx 01746 781698
Em John (at) Stinkyink dot Com
Comment
-
If you see this post here.
We had this vulnerability flagged on our security test with SecurityMetrics, the actual level of the vulnerability was "8" so was classed as high.
After installing the patched files from Actinic, it reduced the level down to 3, any risk 4 or above is classed as a fail.
I would do what I did, and e-mail actinic about it. If your using v9 which as we know is the latest version then surely they must fix this issue.
Comment
-
Scanalert flag this as a level 3 issue (out of 5) which is a fail as far as they are concerned. We have applied the patch and moaned (again) to actinic. Having read the bug fixes in V9.0.1 they do list this as one of the bug fixes "Further security enhancements made to shopping cart and checkout scripts." which I hope sorts this issue out once and for all - I'll let you know when we upgrade to 9.0.1. I have to admit to being just a tad frustrated by this issue still occuring after all this time!John Sollars
MD at Stinkyink.Com
Ph 01746 781020
Fx 01746 781698
Em John (at) Stinkyink dot Com
Comment
-
It seems different security vendor companies risk vulnerabilities individually, which i think is wrong, there should be one set of rules for everyone.
We still have a SSL2.0 still enabled on the webserver, and our hosting co are refusing to disable ssl2.0 on the server as they say it stops plesk 8.3 control panel from working correctly
SM (SecurityMetrics) have said they will remove the vulnerability but we would be liable to a credit card compromise, but have explained time and time again to them that we use a PSP for transactions which is NOT on our website. I emailed SecureHosting (our PSP) for written confirmation of this, and then contacted Actinic themselves just for 100% clarification that bcoz we use a PSP then there are no CC details, stored or processed on our webspace (using Actinic), they got back within 30mins to confirm this.
If SM are willing to remove this vulnerability themselves then I cannot see this vulnerability being an issue.
E-mail I got from Actinic yesterday:
Hi Gavin
Thanks for registering a query
Yes that is how it works, all the capture, processing is done on the Payment Service Providers secure site and only a confirmation is sent to you stating that the transaction has been authorized.
Regards
Kiran Chandran
Actinic Software Ltd,
Globe House, Columbus Suite,Lavender Park Road, West Byfleet,
Surrey, KT14 6ND,United Kingdom.
Phone: 01932 358370 Fax : 01932 358341
Registered Office as above | Registered in England No 3221222 VAT no. GB834853604
That is why I wanted hard-copies from both SecureHosting and Actinic regarding this matter.
These security companies like SM, HackerSafe, etc are hard work ...
Comment
-
Originally posted by RuralWebInteresting article in the Gardian about all this bollocks yesterday and the bottom line from Sophos is that people will move towards sites which do not ask for card details at all ie good old Google Checkout and PayPal Pro
Is there a link to this article on their website I wonder?
EDIT:
Click here for the article on the website.
Interesting to see big-shot companies such as Littlewoods, New Look are not yet PCI Compliant. So it just goes to show.
Comment
-
Hi Gavin,
I think this is opening a whole new can of worms!. We also use Secure Hosting as our PSP, and have an account with Protx as well. Coincidentally I had a newsletter from Protx yesterday and this is their statement:
'Protx is a level 1 PCI compliant Payment Service Provider, which means that if you use the Protx payment pages (VSP Form and VSP Server), you outsource security to Protx and do not need to be PCI compliant yourself.
However, if you use your own payment pages and collect credit card details on your website before passing them across to Protx (using VSP Direct) you will need to make sure that you are PCI compliant.'
Secure Hosting is also level 1 PCI compliant so I do not intend to tell anyone that we are PCI compliant because we don't need to be.
Hackersafe have two seperate sections within our account and have seperated the PCI section away from their server security and we only get scanned for potential server security flaws, which they consider this Cross Site Scripting to be.John Sollars
MD at Stinkyink.Com
Ph 01746 781020
Fx 01746 781698
Em John (at) Stinkyink dot Com
Comment
-
Originally posted by john@stinkyink.Hi Gavin,
Secure Hosting is also level 1 PCI compliant so I do not intend to tell anyone that we are PCI compliant because we don't need to be.
The security penetration test we have done on the web host server, i believe is more towards the security for the server itself more so than PCI compliance. If you pass this test it allows you to put a logo on your site for piece of mind to the customer more than anything else to say your site is PCI compliant, blah blah, which can only be a good thing.
With SM we have to pass BOTH a web server test AND a security test on our network (them trying to hack in!) in order to become PCI compliant, oh there is also the self-cert questionnaire which you need to pass as well to be fully compliant.
We take mail order orders as well, which of course is a different kettle of fish, nevertheless its a still a pain. We have had to get our freelance programmer in to make some changes to our systems in order to pass the questionnaire.
Its been a right pain, but once its done its done, and it means Barclaycard are happy.
Comment
-
Hey Ho V9.01 still has vulnerabilites
Hi,
We've just upgraded from 9.0.0 to 9.0.1 and over the weekend been penalised by Scanalert again for the Cross site scripting.
I think I will give up and just manually edit the Perl files every time we upload
I'm very disappointed!John Sollars
MD at Stinkyink.Com
Ph 01746 781020
Fx 01746 781698
Em John (at) Stinkyink dot Com
Comment
-
False Alarm
My apologies to Zoltan and the Actinic Crew!.
The initial vulnerability was still with V9.0.0 It was only when we tried applying the scripts in V9.0.1 yesterday that we realised they were already included. Scanalert has just done another Scan and we passed fine.
Once again my apologiesJohn Sollars
MD at Stinkyink.Com
Ph 01746 781020
Fx 01746 781698
Em John (at) Stinkyink dot Com
Comment
Comment