Magento Forum

   
Cross Scripting Vulnerability from a Magento Connect Extention
 
WetFlam
Jr. Member
 
Total Posts:  25
Joined:  2011-06-16
 

Before I post any details as to the issue I want to ask if it would be appropriate to post a security issue with a extension found in magento connect here. I have (or had rather) a social extension that added icons like facebook and stuff to my pages to allow for bookmarking and sharing but my merchant did a PCI compliant scan and found that the plugin is vulnerable to cross scripting attacks and I am unsure how to fix it without removing the extension all together (which I have verified that removing it removes the vulnerability).

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hi,

posting vulnerabilities in public is never a good idea.

You should try to reach out to the author of the extension. Magento connect contains 3rd party software which is not maintained by Magento itself, and I think Magento can’t help you with this issue.
Therefore I would suggest you to mail the author directly. You can send me a private message here in the board then I could help you to handle it.

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
WetFlam
Jr. Member
 
Total Posts:  25
Joined:  2011-06-16
 
thebod - 17 April 2012 09:50 PM

Hi,

posting vulnerabilities in public is never a good idea.

You should try to reach out to the author of the extension. Magento connect contains 3rd party software which is not maintained by Magento itself, and I think Magento can’t help you with this issue.
Therefore I would suggest you to mail the author directly. You can send me a private message here in the board then I could help you to handle it.


Thanks

Unfortunately the author is French or something so it’s doubtful that I will hear back from him. I did email him first though. No response thus far. It’s really a matter of having the extension sanitize itself to prevent exploits. Can anyone possibly help me with that? I’m willing to pay a small fee for help.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hi,

I will help you (for sure for free, security should not be a question of money).

I’ll send you a private message here, might be better to not discuss it visible for everyone wink

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
Brynnae
Member
 
Avatar
Total Posts:  36
Joined:  2012-04-17
California
 

Yes, It might be possible that removing extension can prevent for vulnerable destruction of data. If you think that removing extension will be effective then you should immediately remove that. No need to think about this, because removing extension is better than data is to be hacked by hackers.

 
Magento Community Magento Community
Magento Community
Magento Community
 
WetFlam
Jr. Member
 
Total Posts:  25
Joined:  2011-06-16
 

Hey thebod thanks for your offer to help. I replied to your PM. I am terribly sorry its like a month later I didnt realize I have one and I have been extremely preoccupied with several other tasks. It doesnt appear the developer is going to respond to me as it has been quite some time and I have not seen him with any new releases so I am assuming he doesnt plan to resolve it or he didnt understand what I was trying to tell him. Let me know if the PM has all the info you need. And if you can could you possibly follow up with me with the email address i provided in PM as I dont get on here that often right now.

 
Magento Community Magento Community
Magento Community
Magento Community
 
WetFlam
Jr. Member
 
Total Posts:  25
Joined:  2011-06-16
 

thebody doesnt appear to be returning my messages. Anyone else think they could help with coding an extension so that it sanitizes itself?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Extendware
Sr. Member
 
Avatar
Total Posts:  220
Joined:  2011-08-04
 

I would recommend purchasing an extension from a commercial provider, so you will get support. There might be alternative to this extension on Magento connect if you do a search.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top