[ic] PCI scan suddenly failing?

Steve Graham icdev at mrlock.com
Thu Jun 27 20:27:12 UTC 2013

-----Original Message----- 
From: DB
Sent: Thursday, June 27, 2013 2:31 PM
To: interchange-users at icdevgroup.org
Subject: Re: [ic] PCI scan suddenly failing?

> The issue is when you have a malformed id in your query string
> Interchange actually prints out something along the lines of "Invalid
> session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged".
> Well the security scanner sees the fact that it printed the alert on
> the page and determines that you have an cross-site scripting
> vulnerability. I've had to challenge their finding and have them run
> it by hand to show them that it's not actually running the alert. I
> think for another client we modified that part of Interchange so it
> didn't print out the invalid id.
> Richard

Thanks - I see no real security problem either, but we'll see if
reasoning with the PCI scanning company works.



Next time the PCI scan is run on my site, I'll keep an eye out for this - I 
ran your test and the alert box did not show up here either, will probably 
contest this as well if it shows up.


More information about the interchange-users mailing list