Hello,
Have had my site scanned for PCI compliance and have an XSS issue. I experience some trouble since I installed this template. I installed the full package for magento 1.7.2 provided in the download section in my member area.
I don’t have access to apache to enable mod_security.
Please it can be a serious issue with this theme, what should I do?
3 answers
Hi maheanuu,
Could you please explain me a little bit more about the issue ? How can I check to see it?
Sorry, didn’t get the notifications for your answer: I get alerts when I scan website for XSS, alerts with these type of url (search form results basicaly):
Code:
URL: https://www.eco-gaming.com/catalogsearch/result/index/?cat=42&enable_googlecheckout=1&mode=list&price=200-&q=1 Description: cat,enable_googlecheckout,mode,price,q URL: https://www.eco-gaming.com/catalogsearch/result/index/?___store=default&mode=list&price=2000-3000&q=1&___from_store=french Description: ___from_store,___store,mode,price,q URL: https://www.eco-gaming.com/catalogsearch/result/index/?___store=default&___from_store=french&cat=44&enable_googlecheckout=1&mode=list&price=5000-&q=1 Description: ___from_store,___store,cat,enable_googlecheckout,mode,price,q URL: https://www.eco-gaming.com/catalogsearch/result/index/?___from_store=default&___store=french&cat=42&q=1 Description: ___from_store,___store,cat,q URL: https://www.eco-gaming.com/catalogsearch/result/index/?___from_store=default&___store=french&cat=45&enable_googlecheckout=1&mode=list&price=5000-&q=1 Description: ___from_store,___store,cat,enable_googlecheckout,mode,price,q
And 500 more url like these. I was wondering if something is wrong with some of the .js files that are used in the template. If someone ever experienced these kind of threats.
Magento have flaws, but my hosting company too (mod_security is not enabled). So if javascript files are not secure, I may have a big problem. Since I have dynamic IP with my FAI I can’t limit access to backend (I may use .htpasswd if I can’t find another solution).
I gave you FTP credential in this post, and I’ll give backend access if you need it. Thanks!
hi meheanuu !
Call me blind but your issue is still not clear to me, let me know which tool I can use to check the issue.