Security clearance of site
I am using Actinic Business on v7.0.7.0.0.0 and have my site hosted by a Actinic Business partner with a separate https server handling the checkout pages.
My bank require Security Metrics to validate security settings on the site and it is currently failing on one last hurdle with the following failure report issued by the Security Metrics tests
" Security Vulnerabilities: TCP Protocol http/https
Possible injection http://www.my domain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www.mydomain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www.mydomain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www.mydomain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www.mydomain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www [More] .... "
Can anyone please help with advice as to whether there is a patch or something I need to get applied, business setting to change etc or is this a security gap in v7? Are there some settings my server host needs to change as they haven't come accross this before?
Thanks
My bank require Security Metrics to validate security settings on the site and it is currently failing on one last hurdle with the following failure report issued by the Security Metrics tests
" Security Vulnerabilities: TCP Protocol http/https
Possible injection http://www.my domain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www.mydomain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www.mydomain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www.mydomain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www.mydomain.com/cgi-bin/ss00 0002.pl?PRODREF=%3Cxss%3Ealert%28%27XSS%27 %29%3C%2Fvulnerable%3E&NOLOGIN=1 ("<xss>alert('XSS')</vulnerable>") ; Possible injection http://www [More] .... "
Can anyone please help with advice as to whether there is a patch or something I need to get applied, business setting to change etc or is this a security gap in v7? Are there some settings my server host needs to change as they haven't come accross this before?
Thanks
Comment