Jump to content

Archived

This topic is now archived and is closed to further replies.

Tiff13

PCI Compliance Scan Failures Oscommerce or my host provider

Recommended Posts

Where to start? Trustwave performs the PCI compliance scans and I've got 2 issues on my website giving me a failure status causing me to pay a failure fee to my merchant account provider.

 

1) Reflected Cross-Site Scripting (XSS) Vulnerability - evidence on page: http://www.houseofaberrant.com/advanced_search.php says to ..."escape all non alpha-numeric characters..."

 

2) BEAST (Browser Exploit Against SSL/TLS) Vulnerability - evidence lists a bunch of Cipher Suites for example SSLv3 : SEED-SHA

 

My site is v2.3.2

 

Thanks in advance for the advice

Tiffany

Share this post


Link to post
Share on other sites

For nr. 1 , have a look at: ANTI Cross Site Scripting attacks

 

Can not say for sure, but nr. 2 sounds like a server/hosting issue.

Share this post


Link to post
Share on other sites

@@epwork

 

2) Does your site utilize a shared SSL ? Or a standard SSL ? Do you use shared hosting ?

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

1) Reflected Cross-Site Scripting (XSS) Vulnerability - evidence on page: http://www.houseofaberrant.com/advanced_search.php says to ..."escape all non alpha-numeric characters..."

 

That means you can only search with A-Z, a-z, and 0-9 characters. That might be fine for english, but for foreign languages it becomes a problem if language specific characters cannot legitimately be searched for (eg, German umlauts üöä).

 

That XSS vulnerability is a false report. It is already secure by default in your version (v2.3.2).


:heart:, osCommerce

Share this post


Link to post
Share on other sites

@@epwork

 

2) Does your site utilize a shared SSL ? Or a standard SSL ? Do you use shared hosting ?

 

 

 

 

Chris

 

Site uses a standard SSL and is hosted on a dedicated server.

Share this post


Link to post
Share on other sites

Don't have any languages other than English right now.

 

That isn't the point. The point is that XSS vulnerability is a false report and if that company doesn't know better, then I wouldn't use their services. It looks like they will report anything to you just so you can pay a "failure fee".


:heart:, osCommerce

Share this post


Link to post
Share on other sites

That isn't the point. The point is that XSS vulnerability is a false report and if that company doesn't know better, then I wouldn't use their services. It looks like they will report anything to you just so you can pay a "failure fee".

 

Ah ha, OK I get it now! Thank you @@Harald Ponce de Leon that gives me a good perspective, I will keep that in mind. Makes it a challenge when the bank dictates who is used to monitor my sites PCI compliance.

 

Thanks again,

Tiffany

Share this post


Link to post
Share on other sites

×