Announcement

Collapse
No announcement yet.

Cross Site Scripting issue?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #46
    See my post here

    Cross Site Scripting Fix for Actinic v7.0.7

    Comment


      #47
      Cross Site Scripting issues still in V9

      Hi all,

      I have just had the dreaded 'New Vulnerabilities Found' from Scanalert having uploaded our site in V9.0.0, which I thought was a long dead and buried issue
      John Sollars
      MD at Stinkyink.Com
      Ph 01746 781020
      Fx 01746 781698
      Em John (at) Stinkyink dot Com

      Comment


        #48
        I have just had the dreaded 'New Vulnerabilities Found' from Scanalert having uploaded our site in V9.0.0
        Yep and they will turn off your logo if you dont fix it pretty dam quick

        Comment


          #49
          I thought it was supposed to be fixed for ever in 8.5.2, but definitely in V9, but now it is actually listed as a bug fix in 9.01 - we'll wait and see!
          John Sollars
          MD at Stinkyink.Com
          Ph 01746 781020
          Fx 01746 781698
          Em John (at) Stinkyink dot Com

          Comment


            #50
            tbh ive never seen a version where it was fixed. Scanalert has shown vunerabilities on every version of actinic I have tried it on

            Comment


              #51
              If you see this post here.
              We had this vulnerability flagged on our security test with SecurityMetrics, the actual level of the vulnerability was "8" so was classed as high.

              After installing the patched files from Actinic, it reduced the level down to 3, any risk 4 or above is classed as a fail.

              I would do what I did, and e-mail actinic about it. If your using v9 which as we know is the latest version then surely they must fix this issue.

              Comment


                #52
                Scanalert flag this as a level 3 issue (out of 5) which is a fail as far as they are concerned. We have applied the patch and moaned (again) to actinic. Having read the bug fixes in V9.0.1 they do list this as one of the bug fixes "Further security enhancements made to shopping cart and checkout scripts." which I hope sorts this issue out once and for all - I'll let you know when we upgrade to 9.0.1. I have to admit to being just a tad frustrated by this issue still occuring after all this time!
                John Sollars
                MD at Stinkyink.Com
                Ph 01746 781020
                Fx 01746 781698
                Em John (at) Stinkyink dot Com

                Comment


                  #53
                  It seems different security vendor companies risk vulnerabilities individually, which i think is wrong, there should be one set of rules for everyone.

                  We still have a SSL2.0 still enabled on the webserver, and our hosting co are refusing to disable ssl2.0 on the server as they say it stops plesk 8.3 control panel from working correctly

                  SM (SecurityMetrics) have said they will remove the vulnerability but we would be liable to a credit card compromise, but have explained time and time again to them that we use a PSP for transactions which is NOT on our website. I emailed SecureHosting (our PSP) for written confirmation of this, and then contacted Actinic themselves just for 100% clarification that bcoz we use a PSP then there are no CC details, stored or processed on our webspace (using Actinic), they got back within 30mins to confirm this.

                  If SM are willing to remove this vulnerability themselves then I cannot see this vulnerability being an issue.

                  E-mail I got from Actinic yesterday:

                  Hi Gavin

                  Thanks for registering a query

                  Yes that is how it works, all the capture, processing is done on the Payment Service Providers secure site and only a confirmation is sent to you stating that the transaction has been authorized.

                  Regards
                  Kiran Chandran

                  Actinic Software Ltd,
                  Globe House, Columbus Suite,Lavender Park Road, West Byfleet,
                  Surrey, KT14 6ND,United Kingdom.
                  Phone: 01932 358370 Fax : 01932 358341

                  Registered Office as above | Registered in England No 3221222 VAT no. GB834853604
                  I have been working with SM for the past 3 weeks on making our site comply to the PCI and even though i have told SM time and time again we do NOT hold CC details on our site all is done through a PSP they just dont seem to either a) Listen, or b) Understand.

                  That is why I wanted hard-copies from both SecureHosting and Actinic regarding this matter.

                  These security companies like SM, HackerSafe, etc are hard work ...

                  Comment


                    #54
                    Interesting article in the Gardian about all this bollocks yesterday and the bottom line from Sophos is that people will move towards sites which do not ask for card details at all ie good old Google Checkout and PayPal Pro

                    Comment


                      #55
                      Originally posted by RuralWeb
                      Interesting article in the Gardian about all this bollocks yesterday and the bottom line from Sophos is that people will move towards sites which do not ask for card details at all ie good old Google Checkout and PayPal Pro
                      That is interesting Malcolm.
                      Is there a link to this article on their website I wonder?

                      EDIT:

                      Click here for the article on the website.

                      Interesting to see big-shot companies such as Littlewoods, New Look are not yet PCI Compliant. So it just goes to show.

                      Comment


                        #56
                        Hi Gavin,

                        I think this is opening a whole new can of worms!. We also use Secure Hosting as our PSP, and have an account with Protx as well. Coincidentally I had a newsletter from Protx yesterday and this is their statement:

                        'Protx is a level 1 PCI compliant Payment Service Provider, which means that if you use the Protx payment pages (VSP Form and VSP Server), you outsource security to Protx and do not need to be PCI compliant yourself.
                        However, if you use your own payment pages and collect credit card details on your website before passing them across to Protx (using VSP Direct) you will need to make sure that you are PCI compliant.'

                        Secure Hosting is also level 1 PCI compliant so I do not intend to tell anyone that we are PCI compliant because we don't need to be.

                        Hackersafe have two seperate sections within our account and have seperated the PCI section away from their server security and we only get scanned for potential server security flaws, which they consider this Cross Site Scripting to be.
                        John Sollars
                        MD at Stinkyink.Com
                        Ph 01746 781020
                        Fx 01746 781698
                        Em John (at) Stinkyink dot Com

                        Comment


                          #57
                          Originally posted by john@stinkyink.
                          Hi Gavin,
                          Secure Hosting is also level 1 PCI compliant so I do not intend to tell anyone that we are PCI compliant because we don't need to be.
                          100% agree with you.

                          The security penetration test we have done on the web host server, i believe is more towards the security for the server itself more so than PCI compliance. If you pass this test it allows you to put a logo on your site for piece of mind to the customer more than anything else to say your site is PCI compliant, blah blah, which can only be a good thing.

                          With SM we have to pass BOTH a web server test AND a security test on our network (them trying to hack in!) in order to become PCI compliant, oh there is also the self-cert questionnaire which you need to pass as well to be fully compliant.

                          We take mail order orders as well, which of course is a different kettle of fish, nevertheless its a still a pain. We have had to get our freelance programmer in to make some changes to our systems in order to pass the questionnaire.

                          Its been a right pain, but once its done its done, and it means Barclaycard are happy.

                          Comment


                            #58
                            but once its done its done
                            A common miss conception - new vunerabilities are found all the time and Im sure SM will be back to "help" you sort them out again at a price no doubt.

                            Comment


                              #59
                              Hey Ho V9.01 still has vulnerabilites

                              Hi,

                              We've just upgraded from 9.0.0 to 9.0.1 and over the weekend been penalised by Scanalert again for the Cross site scripting.

                              I think I will give up and just manually edit the Perl files every time we upload

                              I'm very disappointed!
                              John Sollars
                              MD at Stinkyink.Com
                              Ph 01746 781020
                              Fx 01746 781698
                              Em John (at) Stinkyink dot Com

                              Comment


                                #60
                                False Alarm

                                My apologies to Zoltan and the Actinic Crew!.

                                The initial vulnerability was still with V9.0.0 It was only when we tried applying the scripts in V9.0.1 yesterday that we realised they were already included. Scanalert has just done another Scan and we passed fine.

                                Once again my apologies
                                John Sollars
                                MD at Stinkyink.Com
                                Ph 01746 781020
                                Fx 01746 781698
                                Em John (at) Stinkyink dot Com

                                Comment

                                Working...
                                X