Forum: General Discussion

Forum for any topic of interest to the Qcodo community, including questions about the framework itself.
-10-5Prev| 13 / 124 |Next+5+10

PCI Scan says "XSS non-persistent hole"?

thread: 2 messages  |  last: a year ago  |  started: tuesday, february 16, 2010, 6:44 pm pst

 
 

#1  |  Frank W (Toronto, Canada) Canada
Tuesday, February 16, 2010, 6:44 PM PST

I was wondering if anyone could comment on this as I'm by no means a security expert.

I've run a free PCI scan using Hackerguardian as we're about apply for a merchant account, and keep getting this “warning”.

"Non-persistent Cross-Site Scripting Vulnerability"
"CGI abuses : XSS "
"Medium Priority"
The following CGI script seem to be vulnerable to XSS non-persistent hole : /qcodo-
0.4.10/www/assets/php/_core/error_already_rendered_page.php
Unsafe arguments : strHtml
Unsafe URLs : /qcodo-0.4.10/www/assets/php/_core/error_already_rendered_page.php
POST data: strHtml=%3c%2fscript%3e%3cscript%3ealert(12345)%3c%2fscript%3e (XSS
pattern: &lt /script&gt &lt script&gt alert(12345)&lt /script&gt )
An attacker may exploit this flaws to steal user's cookies

Solution : Modify the relevant CGIs so that they filter metacharacters, convert &lt and &gt to escape
sequences
Risk factor : Medium / CVSS Base Score : 4.3

Is this a real error, or just the scanner being stupid? Thanks!

#2  |  Mike Ho (Sunnyvale, CA) United States of America Qcodo Administrator
Tuesday, February 16, 2010, 11:00 PM PST

it's complaining about the error page... which is not really supposed to be run in production anyway.

Best idea would be to disable the error page and instead use the “friendly error page” functionality... it makes your site more user-friendly and alleviates this issue, all at once. =)


 
 

John 3:16  •  Romans 12:1-8
Copyright © 2005 - 2012, Quasidea Development, LLC
This open-source framework for PHP is released under the terms of The MIT License.