[ic] PCI scan suddenly failing?

DB db at m-and-d.com
Thu Jun 27 19:31:49 UTC 2013

> The issue is when you have a malformed id in your query string
> Interchange actually prints out something along the lines of "Invalid
> session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged".
> Well the security scanner sees the fact that it printed the alert on
> the page and determines that you have an cross-site scripting
> vulnerability. I've had to challenge their finding and have them run
> it by hand to show them that it's not actually running the alert. I
> think for another client we modified that part of Interchange so it
> didn't print out the invalid id.
> Richard

Thanks - I see no real security problem either, but we'll see if
reasoning with the PCI scanning company works.


More information about the interchange-users mailing list