Tiff13 Posted November 16, 2012 Share Posted November 16, 2012 Where to start? Trustwave performs the PCI compliance scans and I've got 2 issues on my website giving me a failure status causing me to pay a failure fee to my merchant account provider. 1) Reflected Cross-Site Scripting (XSS) Vulnerability - evidence on page: http://www.houseofaberrant.com/advanced_search.php says to ..."escape all non alpha-numeric characters..." 2) BEAST (Browser Exploit Against SSL/TLS) Vulnerability - evidence lists a bunch of Cipher Suites for example SSLv3 : SEED-SHA My site is v2.3.2 Thanks in advance for the advice Tiffany Link to comment Share on other sites More sharing options...
♥toyicebear Posted November 16, 2012 Share Posted November 16, 2012 For nr. 1 , have a look at: ANTI Cross Site Scripting attacks Can not say for sure, but nr. 2 sounds like a server/hosting issue. Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
Guest Posted November 16, 2012 Share Posted November 16, 2012 @@epwork 2) Does your site utilize a shared SSL ? Or a standard SSL ? Do you use shared hosting ? Chris Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted November 16, 2012 Share Posted November 16, 2012 1) Reflected Cross-Site Scripting (XSS) Vulnerability - evidence on page: http://www.houseofaberrant.com/advanced_search.php says to ..."escape all non alpha-numeric characters..." That means you can only search with A-Z, a-z, and 0-9 characters. That might be fine for english, but for foreign languages it becomes a problem if language specific characters cannot legitimately be searched for (eg, German umlauts üöä). That XSS vulnerability is a false report. It is already secure by default in your version (v2.3.2). , osCommerce Link to comment Share on other sites More sharing options...
Tiff13 Posted November 16, 2012 Author Share Posted November 16, 2012 @@epwork 2) Does your site utilize a shared SSL ? Or a standard SSL ? Do you use shared hosting ? Chris Site uses a standard SSL and is hosted on a dedicated server. Link to comment Share on other sites More sharing options...
Tiff13 Posted November 16, 2012 Author Share Posted November 16, 2012 For nr. 1 , have a look at: ANTI Cross Site Scripting attacks Can not say for sure, but nr. 2 sounds like a server/hosting issue. Thanks, I'll try that. Don't have any languages other than English right now. Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted November 16, 2012 Share Posted November 16, 2012 Don't have any languages other than English right now. That isn't the point. The point is that XSS vulnerability is a false report and if that company doesn't know better, then I wouldn't use their services. It looks like they will report anything to you just so you can pay a "failure fee". , osCommerce Link to comment Share on other sites More sharing options...
Tiff13 Posted November 16, 2012 Author Share Posted November 16, 2012 That isn't the point. The point is that XSS vulnerability is a false report and if that company doesn't know better, then I wouldn't use their services. It looks like they will report anything to you just so you can pay a "failure fee". Ah ha, OK I get it now! Thank you @@Harald Ponce de Leon that gives me a good perspective, I will keep that in mind. Makes it a challenge when the bank dictates who is used to monitor my sites PCI compliance. Thanks again, Tiffany Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.