[ic] PCI scan suddenly failing?

Peter peter at pajamian.dhs.org
Thu Jun 27 23:45:46 UTC 2013


On 06/28/2013 07:02 AM, Richard Templet wrote:
> The issue is when you have a malformed id in your query string
> Interchange actually prints out something along the lines of "Invalid
> session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged".
> Well the security scanner sees the fact that it printed the alert on
> the page and determines that you have an cross-site scripting
> vulnerability. I've had to challenge their finding and have them run
> it by hand to show them that it's not actually running the alert. I
> think for another client we modified that part of Interchange so it
> didn't print out the invalid id.

It actually was an XSS vulnerability as it returns user input to the 
page unmodified.  It was fixed a few years ago:

commit 771683c75afa3b492793d576e17187f1b6f92d6c
Author: David Christensen <david at endpoint.com>
Date:   Tue Nov 3 17:21:40 2009 -0600

     Remove the explicit display of an invalid user-provided session id

     Hypothetically, some stupid browsers could be coerced into doing
     Something Bad; in any case, it's cleaner to just exclude it from the
     output all together.

     Example URL:

 
http://example.com/cgi-bin/catalog/catalogs.html?id=PMJCrmoJ%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E

     Reported by Mat Jones.



More information about the interchange-users mailing list