Mailing List Archive: Interchange: users

PCI scan suddenly failing?

Index | Next | Previous | View Threaded

db at m-and-d

Jun 27, 2013, 11:28 AM

Post #1 of 8 (84 views)
Permalink

PCI scan suddenly failing?

Hi - today I'm seeing a number of problems with a PCI compliance scan
which previously had not been an issue. They're all similar to:

---------------------
A reflected cross-site scripting vulnerability was identified in this
web application. Reflected cross-site scripting is when HTML or
Javascript content is supplied to a user defined parameter to have it
then displayed (aka: reflected) back to the user and rendered or
interpreted by their browser.

Paramter: id
Request: GET /index.html?id=%3Cscript%3Ealert('TK00000008')%3C/script%3E
HTTP/1.1

Accept: */*
---------------------

Even my index.html page now has such an error, so I'd think many other
IC users would see the same thing. Does anyone have any idea what the
scanner is complaining about, or how to correct it?

DB

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

icdev at mrlock

Jun 27, 2013, 11:46 AM

Post #2 of 8 (82 views)
Permalink

Re: PCI scan suddenly failing? [In reply to]

Hi - today I'm seeing a number of problems with a PCI compliance scan
which previously had not been an issue. They're all similar to:

---------------------
A reflected cross-site scripting vulnerability was identified in this
web application. Reflected cross-site scripting is when HTML or
Javascript content is supplied to a user defined parameter to have it
then displayed (aka: reflected) back to the user and rendered or
interpreted by their browser.

Paramter: id
Request: GET /index.html?id=%3Cscript%3Ealert('TK00000008')%3C/script%3E
HTTP/1.1

Accept: */*
---------------------

Even my index.html page now has such an error, so I'd think many other
IC users would see the same thing. Does anyone have any idea what the
scanner is complaining about, or how to correct it?

DB

>>>>>>>>>>>>>>
What version of IC are you using?

-Steve

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

db at m-and-d

Jun 27, 2013, 11:52 AM

Post #3 of 8 (82 views)
Permalink

PCI scan suddenly failing? [In reply to]

Here's some more specific info on one of the failed items:

Evidence:
URL: http://www.domain.com/index.html
Parameter: id
Request: GET
/index.html?id=%3Cscript%3Ealert('TK00000008')%3C/script%3E
HTTP/1.1 Accept: */* User-Agent: Ruby, Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1) Host: www.domain.com
Response: HTTP/1.1 403 Forbidden Set-Cookie: MV_SESSION_ID=;
path=/cgi-bin/store; Set-Cookie: MV_SESSION_ID=; path=/; Status:
403 Unauthorized Content-Type: text/plain Transfer-Encoding:
chunked Date: Thu, 27 Jun 2013 17:06:38 GMT Server:
lighttpd/1.4.31

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

db at m-and-d

Jun 27, 2013, 12:01 PM

Post #4 of 8 (82 views)
Permalink

Re: PCI scan suddenly failing? [In reply to]

> Hi - today I'm seeing a number of problems with a PCI compliance scan
> which previously had not been an issue. They're all similar to:
>
> ---------------------
> A reflected cross-site scripting vulnerability was identified in this
> web application. Reflected cross-site scripting is when HTML or
> Javascript content is supplied to a user defined parameter to have it
> then displayed (aka: reflected) back to the user and rendered or
> interpreted by their browser.
>
>
> Paramter: id
> Request: GET /index.html?id=%3Cscript%3Ealert('TK00000008')%3C/script%3E
> HTTP/1.1
>
> Accept: */*
> ---------------------
>
> Even my index.html page now has such an error, so I'd think many other
> IC users would see the same thing. Does anyone have any idea what the
> scanner is complaining about, or how to correct it?
>
> DB
>
>>>>>>>>>>>>>>>
> What version of IC are you using?
>
> -Steve

I'm running 5.6.3 and I also just sent to the list more specific details
about the request and respanse that caused the issue. I've not made any
changes to my site's operation, so I think this must be something new
that my PCI service is scanning for.

DB

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

richard at endpoint

Jun 27, 2013, 12:02 PM

Post #5 of 8 (83 views)
Permalink

Re: PCI scan suddenly failing? [In reply to]

On Thu, Jun 27, 2013 at 01:46:20PM -0500, Steve Graham wrote:
> Hi - today I'm seeing a number of problems with a PCI compliance scan
> which previously had not been an issue. They're all similar to:
>
> ---------------------
> A reflected cross-site scripting vulnerability was identified in this
> web application. Reflected cross-site scripting is when HTML or
> Javascript content is supplied to a user defined parameter to have it
> then displayed (aka: reflected) back to the user and rendered or
> interpreted by their browser.
>
>
> Paramter: id
> Request: GET /index.html?id=%3Cscript%3Ealert('TK00000008')%3C/script%3E
> HTTP/1.1
>
> Accept: */*
> ---------------------
>
> Even my index.html page now has such an error, so I'd think many other
> IC users would see the same thing. Does anyone have any idea what the
> scanner is complaining about, or how to correct it?
>
> DB
>

The issue is when you have a malformed id in your query string Interchange actually prints out something along the lines of "Invalid session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged". Well the security scanner sees the fact that it printed the alert on the page and determines that you have an cross-site scripting vulnerability. I've had to challenge their finding and have them run it by hand to show them that it's not actually running the alert. I think for another client we modified that part of Interchange so it didn't print out the invalid id.

Richard

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

db at m-and-d

Jun 27, 2013, 12:31 PM

Post #6 of 8 (77 views)
Permalink

Re: PCI scan suddenly failing? [In reply to]

> The issue is when you have a malformed id in your query string
> Interchange actually prints out something along the lines of "Invalid
> session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged".
> Well the security scanner sees the fact that it printed the alert on
> the page and determines that you have an cross-site scripting
> vulnerability. I've had to challenge their finding and have them run
> it by hand to show them that it's not actually running the alert. I
> think for another client we modified that part of Interchange so it
> didn't print out the invalid id.
>
> Richard

Thanks - I see no real security problem either, but we'll see if
reasoning with the PCI scanning company works.

DB

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

icdev at mrlock

Jun 27, 2013, 1:27 PM

Post #7 of 8 (78 views)
Permalink

Re: PCI scan suddenly failing? [In reply to]

-----Original Message-----
From: DB
Sent: Thursday, June 27, 2013 2:31 PM
To: interchange-users [at] icdevgroup
Subject: Re: [ic] PCI scan suddenly failing?

> The issue is when you have a malformed id in your query string
> Interchange actually prints out something along the lines of "Invalid
> session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged".
> Well the security scanner sees the fact that it printed the alert on
> the page and determines that you have an cross-site scripting
> vulnerability. I've had to challenge their finding and have them run
> it by hand to show them that it's not actually running the alert. I
> think for another client we modified that part of Interchange so it
> didn't print out the invalid id.
>
> Richard

Thanks - I see no real security problem either, but we'll see if
reasoning with the PCI scanning company works.

DB

--------------
DB,

Next time the PCI scan is run on my site, I'll keep an eye out for this - I
ran your test and the alert box did not show up here either, will probably
contest this as well if it shows up.

-Steve

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

peter at pajamian

Jun 27, 2013, 4:45 PM

Post #8 of 8 (71 views)
Permalink

Re: PCI scan suddenly failing? [In reply to]

On 06/28/2013 07:02 AM, Richard Templet wrote:
> The issue is when you have a malformed id in your query string
> Interchange actually prints out something along the lines of "Invalid
> session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged".
> Well the security scanner sees the fact that it printed the alert on
> the page and determines that you have an cross-site scripting
> vulnerability. I've had to challenge their finding and have them run
> it by hand to show them that it's not actually running the alert. I
> think for another client we modified that part of Interchange so it
> didn't print out the invalid id.

It actually was an XSS vulnerability as it returns user input to the
page unmodified. It was fixed a few years ago:

commit 771683c75afa3b492793d576e17187f1b6f92d6c
Author: David Christensen <david [at] endpoint>
Date: Tue Nov 3 17:21:40 2009 -0600

Remove the explicit display of an invalid user-provided session id

Hypothetically, some stupid browsers could be coerced into doing
Something Bad; in any case, it's cleaner to just exclude it from the
output all together.

Example URL:

http://example.com/cgi-bin/catalog/catalogs.html?id=PMJCrmoJ%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E

Reported by Mat Jones.

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads