[ic] PCI scan suddenly failing?
Peter
peter at pajamian.dhs.org
Thu Jun 27 23:45:46 UTC 2013
On 06/28/2013 07:02 AM, Richard Templet wrote:
> The issue is when you have a malformed id in your query string
> Interchange actually prints out something along the lines of "Invalid
> session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged".
> Well the security scanner sees the fact that it printed the alert on
> the page and determines that you have an cross-site scripting
> vulnerability. I've had to challenge their finding and have them run
> it by hand to show them that it's not actually running the alert. I
> think for another client we modified that part of Interchange so it
> didn't print out the invalid id.
It actually was an XSS vulnerability as it returns user input to the
page unmodified. It was fixed a few years ago:
commit 771683c75afa3b492793d576e17187f1b6f92d6c
Author: David Christensen <david at endpoint.com>
Date: Tue Nov 3 17:21:40 2009 -0600
Remove the explicit display of an invalid user-provided session id
Hypothetically, some stupid browsers could be coerced into doing
Something Bad; in any case, it's cleaner to just exclude it from the
output all together.
Example URL:
http://example.com/cgi-bin/catalog/catalogs.html?id=PMJCrmoJ%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
Reported by Mat Jones.
More information about the interchange-users
mailing list