Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

PCI Compliance
 
Dan Siop
Jr. Member
 
Total Posts:  12
Joined:  2010-08-19
 

Hey,

Magento Version being used: 1.4.1.1

I have managed to get all PCI checks passed now but there is one issue that I am having to pass the final little security issue.

I was wondering if anyone knew a way to get around this.

The security issues are listed blow.

Protocol: TCP
Port: 80
Program: http
Score: 6.8
Description: Web Server Generic XSS Synoposis: The remote web server is prone to cross-site scripting attacks. Impact: The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user’s browser within the security context of the affected site. Resolution: Contact the vendor for a patch or upgrade. Risk Factor: Medium/ CVSS2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE: CVE-2002-1700 BID: 5011 Additional CVEs: CVE- 2006-1681 CVE-2005-2453 CVE-2003-1543

Protocol: TCP
Port: 443
Program: https
Score: 6.8
Description: Web Server Generic XSS Synoposis: The remote web server is prone to cross-site scripting attacks. Impact: The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user’s browser within the security context of the affected site. Resolution: Contact the vendor for a patch or upgrade. Risk Factor: Medium/ CVSS2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE: CVE-2002-1700 BID: 5011 Additional CVEs: CVE- 2006-1681 CVE-2005-2453 CVE-2003-1543

My understanding on these issues are that all form and user input fields need to not allow for special characters. like ?><’="();:/\

Does anyone know how I can resolve these issues. I am using a theme from Magentist and they say that their website is not comaptible with newer versions of Magento such as 1.7.

If anyone knows of a patch or a way to get this resolved I would greatly appreciate your knowledge.

Many thanks

DanSiop

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top