Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PCI Compliance Scan Failures Oscommerce or my host provider


Tiff13

Recommended Posts

Where to start? Trustwave performs the PCI compliance scans and I've got 2 issues on my website giving me a failure status causing me to pay a failure fee to my merchant account provider.

 

1) Reflected Cross-Site Scripting (XSS) Vulnerability - evidence on page: http://www.houseofaberrant.com/advanced_search.php says to ..."escape all non alpha-numeric characters..."

 

2) BEAST (Browser Exploit Against SSL/TLS) Vulnerability - evidence lists a bunch of Cipher Suites for example SSLv3 : SEED-SHA

 

My site is v2.3.2

 

Thanks in advance for the advice

Tiffany

Link to comment
Share on other sites

For nr. 1 , have a look at: ANTI Cross Site Scripting attacks

 

Can not say for sure, but nr. 2 sounds like a server/hosting issue.

Link to comment
Share on other sites

1) Reflected Cross-Site Scripting (XSS) Vulnerability - evidence on page: http://www.houseofaberrant.com/advanced_search.php says to ..."escape all non alpha-numeric characters..."

 

That means you can only search with A-Z, a-z, and 0-9 characters. That might be fine for english, but for foreign languages it becomes a problem if language specific characters cannot legitimately be searched for (eg, German umlauts üöä).

 

That XSS vulnerability is a false report. It is already secure by default in your version (v2.3.2).

:heart:, osCommerce

Link to comment
Share on other sites

Don't have any languages other than English right now.

 

That isn't the point. The point is that XSS vulnerability is a false report and if that company doesn't know better, then I wouldn't use their services. It looks like they will report anything to you just so you can pay a "failure fee".

:heart:, osCommerce

Link to comment
Share on other sites

That isn't the point. The point is that XSS vulnerability is a false report and if that company doesn't know better, then I wouldn't use their services. It looks like they will report anything to you just so you can pay a "failure fee".

 

Ah ha, OK I get it now! Thank you @@Harald Ponce de Leon that gives me a good perspective, I will keep that in mind. Makes it a challenge when the bank dictates who is used to monitor my sites PCI compliance.

 

Thanks again,

Tiffany

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...