XSS (cross scripting) problems

Hello,

Have had my site scanned for PCI compliance and have an XSS issue. I experience some trouble since I installed this template. I installed the full package for magento 1.7.2 provided in the download section in my member area.

I don’t have access to apache to enable mod_security.

Please it can be a serious issue with this theme, what should I do?

3 answers

Profile photo of Maheanuu Allain 0.00 $tone October 29, 2013
Public

Sorry, didn’t get the notifications for your answer: I get alerts when I scan website for XSS, alerts with these type of url (search form results basicaly):

Code:

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?cat=42&enable_googlecheckout=1&mode=list&price=200-&q=1
Description: 	cat,enable_googlecheckout,mode,price,q

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?___store=default&mode=list&price=2000-3000&q=1&___from_store=french
Description: 	___from_store,___store,mode,price,q

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?___store=default&___from_store=french&cat=44&enable_googlecheckout=1&mode=list&price=5000-&q=1
Description: 	___from_store,___store,cat,enable_googlecheckout,mode,price,q

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?___from_store=default&___store=french&cat=42&q=1
Description: 	___from_store,___store,cat,q

URL: 	https://www.eco-gaming.com/catalogsearch/result/index/?___from_store=default&___store=french&cat=45&enable_googlecheckout=1&mode=list&price=5000-&q=1
Description: 	___from_store,___store,cat,enable_googlecheckout,mode,price,q

And 500 more url like these. I was wondering if something is wrong with some of the .js files that are used in the template. If someone ever experienced these kind of threats.

Magento have flaws, but my hosting company too (mod_security is not enabled). So if javascript files are not secure, I may have a big problem. Since I have dynamic IP with my FAI I can’t limit access to backend (I may use .htpasswd if I can’t find another solution).

I gave you FTP credential in this post, and I’ll give backend access if you need it. Thanks!

#2

Please login or Register to Submit Answer

Written By

Comments