cancel
Showing results for 
Search instead for 
Did you mean: 

PCI Scan shows \'script\' XSS vulnerability in catalogsearch/result

PCI Scan shows \'script\' XSS vulnerability in catalogsearch/result

Hi,

 

We are using v1.9.1.0 and our PCI scan revealed a level 10.0 (highest) vulnerability regarding the catalogsearch/result:

 

Cross-Site Scripting in HTML \'script\' tag

 

 

Apart from upgrading, how can we prevent this? Would upgrading likely fix this?

 

 

Many thanks,

3 REPLIES

Re: PCI Scan shows \'script\' XSS vulnerability in catalogsearch/result

Hi @Wegento

 

I am also getting report from my site PCI  as following

Injected into the "q" form parameter
(Using method POST) on
http://www.example.com/catalogsearch/result/:
1041: _gaq.push([
1042: '_trackEvent',
1043: 'Search',
1044: 'Search with no Results',
1045: "\\\"><script>992170282",

I am using Magento 1.4.1.1 version. Did you find a solution for this?

Thanks

 

Update : 

I was having the following code in my custom phtml file

 

_gaq.push(['_trackEvent', 'SiteSearch', <?php echo Mage::helper('core')->jsonEncode($this->helper('catalogSearch')->getQueryText()); ?> ,, <?php echo $this->getResultCount();?> , true]);

I replaced it with following

gaq.push(['_trackEvent', 'SiteSearch', <?php echo Mage::helper('core')->jsonEncode($this->helper('catalogSearch')->getEscapedQueryText()); ?> ,, <?php echo $this->getResultCount();?> , true]);

Notice in second code line  getEscapedQueryText())  and it fixed the issue.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: PCI Scan shows \'script\' XSS vulnerability in catalogsearch/result

Your custom template probably fails to properly sanitize the output. It needs to return the query string with something like this:

 

$this->__("Search results for: '%s'", $this->helper('catalogsearch')->getEscapedQueryText())

Re: PCI Scan shows \'script\' XSS vulnerability in catalogsearch/result

As to this one, somebody customized the template to push search queries to Google Analytics and doesn't understand properly escaping user provided content which needs to have

$this->escapeHtml()

applied to it.