[ic] interchange-users Digest, Vol 135, Issue 13

Josh Lavin josh at perusion.com
Thu Sep 25 20:12:33 UTC 2014


Quoting Bob Puff (bob at nleaudio.com):
> 
> > >
> mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
> > >> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123
> > 
> > That looks like you have a syntax error in some perl, an improperly
> > terminated quote or something because you have perl code in your
> > mv_search_field and that's wrong.
> 
> Hi Peter,
> 
> THanks for the reply.  This catalog came from a 5.2 foundation demo.  I don't
> normally get any errors with this cart, only that it isn't passing a PCI
> compliance test.  Where would I look to see where such code might get executed?

I think the code in the link above is the PCI scanner trying to exploit
the site. 

You just want to check where that parameter is output, to make sure it
is filtered. E.g., if on results.html page, you have:

	[cgi mv_search_field]

it will print the exploit verbatim. You instead would want to have:

	[cgi name=mv_search_field filter=e]

(that runs the parameter through the encode_entities filter before
display)

So, if your PCI scanner is reporting problems, then you likely are
outputting those params verbatim, and need to look for them and filter
them. You can't control what the scanner or anyone else types in a GET
or POST request to your site -- you can only control what you display.

In this case, I would check your results.html and results_big.html
files, or wherever you are sending your results (mv_search_page).

-- 
Josh Lavin
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
... ask me about job opportunities ...



More information about the interchange-users mailing list