XSS (cross scripting) problems

Hi maheanuu,

Could you please explain me a little bit more about the issue ? How can I check to see it?

Sorry, didn’t get the notifications for your answer: I get alerts when I scan website for XSS, alerts with these type of url (search form results basicaly):

Code:

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?cat=42&enable_googlecheckout=1&mode=list&price=200-&q=1
Description: 	cat,enable_googlecheckout,mode,price,q

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?___store=default&mode=list&price=2000-3000&q=1&___from_store=french
Description: 	___from_store,___store,mode,price,q

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?___store=default&___from_store=french&cat=44&enable_googlecheckout=1&mode=list&price=5000-&q=1
Description: 	___from_store,___store,cat,enable_googlecheckout,mode,price,q

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?___from_store=default&___store=french&cat=42&q=1
Description: 	___from_store,___store,cat,q

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?___from_store=default&___store=french&cat=45&enable_googlecheckout=1&mode=list&price=5000-&q=1
Description: 	___from_store,___store,cat,enable_googlecheckout,mode,price,q

And 500 more url like these. I was wondering if something is wrong with some of the .js files that are used in the template. If someone ever experienced these kind of threats.

Magento have flaws, but my hosting company too (mod_security is not enabled). So if javascript files are not secure, I may have a big problem. Since I have dynamic IP with my FAI I can’t limit access to backend (I may use .htpasswd if I can’t find another solution).

I gave you FTP credential in this post, and I’ll give backend access if you need it. Thanks!

hi meheanuu !

Call me blind but your issue is still not clear to me, let me know which tool I can use to check the issue.