[ic] PCI scan suddenly failing?
Steve Graham
icdev at mrlock.com
Thu Jun 27 20:27:12 UTC 2013
-----Original Message-----
From: DB
Sent: Thursday, June 27, 2013 2:31 PM
To: interchange-users at icdevgroup.org
Subject: Re: [ic] PCI scan suddenly failing?
> The issue is when you have a malformed id in your query string
> Interchange actually prints out something along the lines of "Invalid
> session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged".
> Well the security scanner sees the fact that it printed the alert on
> the page and determines that you have an cross-site scripting
> vulnerability. I've had to challenge their finding and have them run
> it by hand to show them that it's not actually running the alert. I
> think for another client we modified that part of Interchange so it
> didn't print out the invalid id.
>
> Richard
Thanks - I see no real security problem either, but we'll see if
reasoning with the PCI scanning company works.
DB
--------------
DB,
Next time the PCI scan is run on my site, I'll keep an eye out for this - I
ran your test and the alert box did not show up here either, will probably
contest this as well if it shows up.
-Steve
More information about the interchange-users
mailing list