cancel
Showing results for 
Search instead for 
Did you mean: 

PCI Non Compliance because of XSS Vulnerability

Re: PCI Non Compliance because of XSS Vulnerability

Hi wood1e,

 

Sorry if you're getting multiple notifications on my messages. They just seem to keep getting lost (or I'm just incapable of using the internet properly)

The problem with these scanners is that many of them just try to err on the side of reporting too many issues instead of too less. So it is possible that you will be getting false positives. 

The specific issue it flagged is a very old issue and deals with a file called default.php. Search your codebase for a file like that and if something turns up, then you can investigate further. The link I posted above to ExploitDB gives you a decent idea of what that warning is all about without getting too technical.

---------------------------------------------------
My Magento Security Podcast

Re: PCI Non Compliance because of XSS Vulnerability

You could grep your root folder as the headers of osCommerce files are signed.

   5    osCommerce, Open Source E-Commerce Solutions
   6    http://www.oscommerce.com
   7  
   8    Copyright (c) 2003 osCommerce

So something like:

grep "osCommerce\|oscommerce" /var/www/vhosts/somesitename/httpdocs/*

Obviously changing the path to your root folder as it could be set up different.

 

Alternatively you could try a locate for specific files within the osCommerce install here is a list of the files in version 2.2 http://www.oscdox.com/crossx/nav.html?_functions/index.html

find -name "login.php"
Regards
Sven

Re: PCI Non Compliance because of XSS Vulnerability

The specific vulnerability exists in a file called default.php. Maybe you have a file of the same name with the same vulnerability and it is miscategorizing it?

Can you try this also and report back?

find -name "default.php"
---------------------------------------------------
My Magento Security Podcast

Re: PCI Non Compliance because of XSS Vulnerability

@sherrie saved the day and all my messages are released from the penalty box. Ignore dupes above 😬

---------------------------------------------------
My Magento Security Podcast