Jump to content

Archived

This topic is now archived and is closed to further replies.

cdogstu99

PCI Compliance-How To Fix XSS (Cross Site Scripting) Errors

Recommended Posts

Help, I've scanned my site and it is not PCI compliant. The three major errors i'm getting are on my contact pages - identified as cross site scripting errors. Anyone know of a way to fix this?

 

Thanks

Share this post


Link to post
Share on other sites

thanks, i actually looked at that yesterday, and changed my .htaccess file according to that module --adding this:

 

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index_error.php [F,L]

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

 

I then re-ran the scan and still getting the same errors. Is there something I'm missing with this?

Share this post


Link to post
Share on other sites

I have also added the .htaccess code and although that solves the PCI problem the site stops working. It loads badly (with our formatting properly) and all links bring up error 403 "the site requires you to log in" but we allow customers to browse as guests.

The site is live and so everytime i try something the site goes down.

Can anyone help please?

The .htaccess looks like this

 

# $Id: .htaccess 1739 2007-12-20 00:52:16Z hpdl $
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)

# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers

#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#             nokeepalive ssl-unclean-shutdown \
#             downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>

# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter

# AcceptPathInfo On

# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)

# php_value session.use_trans_sid 0
# php_value register_globals 1
AddHandler application/x-httpd-php .php 
SetEnvIfNoCase Request_URI IP_Trapped\.txt ban
<Files ~ "^.*$">
order allow,deny
allow from all
deny from env=ban
</Files>
# filter for most common exploits
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]

RewriteCond %{QUERY_STRING} tool25 [OR]

RewriteCond %{QUERY_STRING} cmd.txt [OR]

RewriteCond %{QUERY_STRING} cmd.gif [OR]

RewriteCond %{QUERY_STRING} r57shell [OR]

RewriteCond %{QUERY_STRING} c99 [OR]
# ban spam bots 
RewriteCond %{HTTP_USER_AGENT} almaden [OR]

RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]

RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]

RewriteCond %{HTTP_USER_AGENT} ^attach [OR]

RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]

RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR]

RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR]

RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR]

RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]

RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]

RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR]

RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR]

RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]

RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]

RewriteCond %{HTTP_USER_AGENT} ^CICC [OR]

RewriteCond %{HTTP_USER_AGENT} ^Collector [OR]

RewriteCond %{HTTP_USER_AGENT} ^Copier [OR]

RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]

RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]

RewriteCond %{HTTP_USER_AGENT} ^DA [OR]

RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]

RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]

RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR]

RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]

RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR]

RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR]

RewriteCond %{HTTP_USER_AGENT} ^Drip [OR]

RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR]

RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]

RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR]

RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]

RewriteCond %{HTTP_USER_AGENT} email [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR]

RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]

RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]

RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]

RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]

RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]

RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR]

RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]

RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]

RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR]

RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]

RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR]

RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR]

RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]

RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]

RewriteCond %{HTTP_USER_AGENT} ^gotit [OR]

RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR]

RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]

RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]

RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR]

RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]

RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR]

RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR]

RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]

RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]

RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]

RewriteCond %{HTTP_USER_AGENT} ^Indy*Library [OR]

RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]

RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR]

RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]

RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR]

RewriteCond %{HTTP_USER_AGENT} ^Iria [OR]

RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR]

RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]

RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]

RewriteCond %{HTTP_USER_AGENT} ^JustView [OR]

RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]

RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]

RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR]

RewriteCond %{HTTP_USER_AGENT} ^lftp [OR]

RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR]

RewriteCond %{HTTP_USER_AGENT} ^likse [OR]

RewriteCond %{HTTP_USER_AGENT} ^Link [OR]

RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR]

RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]

RewriteCond %{HTTP_USER_AGENT} ^Memo [OR]

RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]

RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR]

RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR]

RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR]

RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR]

RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR]

RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]

RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]

RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]

RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR]

RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]

RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]

RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]

RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]

RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR]

RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]

RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]

RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]

RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR]

RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]

RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]

RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]

RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]

RewriteCond %{HTTP_USER_AGENT} ^Ping [OR]

RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR]

RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR]

RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]

RewriteCond %{HTTP_USER_AGENT} ^Pump [OR]

RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR]

RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]

RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR]

RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR]

RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]

RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR]

RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR]

RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR]

RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]

RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]

RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR]

RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]

RewriteCond %{HTTP_USER_AGENT} ^Snake [OR]

RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR]

RewriteCond %{HTTP_USER_AGENT} ^sproose [OR]

RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR]

RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR]

RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]

RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]

RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]

RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR]

RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]

RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]

RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR]

RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR]

RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]

RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]

RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]

RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[bb]andit [OR]

RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]

RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]

RewriteCond %{HTTP_USER_AGENT} ^Website [OR]

RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]

RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]

RewriteCond %{HTTP_USER_AGENT} ^Webster [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]

RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]

RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]

RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR]

RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]

RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]

RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR]

RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]

RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]

RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]

RewriteCond %{HTTP_USER_AGENT} ^Zeus

RewriteRule ^.* - [F,L]

RewriteCond %{HTTP_REFERER} ^http://www.kingsandqueens.org.uk/catalog/index.php$

RewriteRule !^http://[^/.]\.kingsandqueens.org.uk/catalog.* - [F,L]


# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$">

deny from all

</FilesMatch>
# Disable .htaccess viewing from browser
<Files ~ "^\.ht">

Order allow,deny

Deny from all

Satisfy All

</Files>
# Disable access to config.php 
<Files ~ "includes\configure.php$">

deny from all

</Files>
Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

 

I would really appreciate any help

Thanks

Andrea

Share this post


Link to post
Share on other sites

If you place your RewriteRules in httpd.conf on FreeBsd/Apache instead of an .htaccess file don't forget to use ^/ instead of ^ at the start of the RewriteRule line. Just add the slash.

 

Instead of "RewriteRule ^/(.*)$ index_error.php [F,L]"

 

I found that this actually worked:

 

RewriteRule (.*) index_error.php?page=$1 [QSA,L]

 

You can temporarily log all your rewrite requests and results to a text file by adding this to the very end of httpd.conf and restarting your server:

 

RewriteLog /usr/home/local/path/to/your/log/mylog.txt

RewriteLogLevel 5

 

Be sure you create the mylog.txt file # touch mylog.txt

It's great for debugging and seeing exactly what happens with each request. Be sure to remove those two lines and restart your server when finished. If you don't it will create a huge log file very quickly.

 

Good luck.

Share this post


Link to post
Share on other sites

×