This is a discussion on ScanAlert Cross site scripting XSS - Alleged Level 2 (of 5) within the osCMax v2 Features Discussion forums, part of the osCMax v2.0 Forums category; ScanAlert says that the OSCMax RC2 with 051112 patch, index.php may be vulnerable to XSS. Here is an excerpt: "The ...
| |||||||
| Register | FAQ | Members List | Calendar | Mark Forums Read |
|
#1
| |||
| |||
| ScanAlert says that the OSCMax RC2 with 051112 patch, index.php may be vulnerable to XSS. Here is an excerpt: "The remote web application appears to be vulnerable to cross site scripting (XSS). {snip} The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser. The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user. " "General Solution Ensure you turn the > and < into their HTML equivalents before sending it back to the browser. Ensure that parameters and user input are stripped of HTML tags before using. # Remove <: input = replace( input, "<", "" ) # Remove >: input = replace( input, ">", "" ) # Remove ' : input = replace( input, "'", "" ) Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to their encoded equivalents. " Is there any validity to this? What, if anything, should I do to fix it? Thanks, Ken |
| Thread Tools | |
| |
| ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Alleged path problems not resolved | tonyosc | osCMax v1.7 Installation | 2 | 01-19-2005 02:02 PM |
| Cross Sell Problem | warrenthewindmill | osCMax v1.7 Discussion | 4 | 12-03-2003 08:00 AM |
| X-Cross shows 6 products, how about 9 | peter | osCommerce 2.2 Modification Help | 0 | 11-21-2003 11:43 AM |
| Cross Sell not working | Anonymous | osCMax v1.7 Discussion | 27 | 11-10-2003 11:29 AM |