View Full Version : Cross Site Scripting problem in showphoto.php
April 3rd, 2009, 09:29 AM
I'm running Photopost Pro 6.02 and just got flagged on PCI scanning for a Cross Site Scripting problem in showphoto.php.
When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.
Ensure that parameters and user input are sanitized by doing the following:
Remove < input and replace with <
Remove > input and replace with >
Remove ' input and replace with '
Remove " input and replace with "
Remove ) input and replace with )
Remove ( input and replace with (
Is there a fix for this?
April 3rd, 2009, 11:13 AM
We store the characters your referring to like that. A simply look in the database shows this to be true.
We use a code sanitizing function.
April 3rd, 2009, 11:19 AM
Then why am I getting flagged??? Is this a false positive?
April 3rd, 2009, 11:22 AM
Not sure as I am not familiar with what your doing or what is flagging you but clearly we typecast the variables and any variables we use the php htmlspecialchars function on them.
PHP: htmlspecialchars - Manual (http://us2.php.net/htmlspecialchars)
April 3rd, 2009, 11:27 AM
Take note also into the mix here is we change variables to store in the database and then when the description is viewed we convert the characters back so things view correct.
We also only allow the html tags noted here
$string = strip_tags($string, "<b><table><tr><td><strong><i><em><u><a><div><span><p><blockquote><ol><ul><li><font><img><br><h1><h2><h3><h4><h5><h6>");
You can not use embed object or script tags to try and embed malicious code we simply do not allow this.
April 3rd, 2009, 11:51 AM
Thanks for the response, I'll pass it onto McAfee.
April 3rd, 2009, 11:55 AM
McAfee is virus software for your home computer. They come out with some new internet scanner?
April 3rd, 2009, 12:02 PM
This is the old "Hacker Safe" daily PCI scanning. They re-branded it to the McAfee name about a year ago or so.
April 3rd, 2009, 12:05 PM
Well at any rate this is a false report issue by that product since we do correctly sanatize the variables.
April 3rd, 2009, 02:12 PM
This is still an error per the PCI scanner. Can you email or PM me so I can send you the problem link?
April 9th, 2009, 09:09 AM
I have no control over your scanner thing and what results it shows. I am simply responding that we properly sanitize variables so there is no threat.
vBulletin® v3.8.1, Copyright ©2000-2014, Jelsoft Enterprises Ltd.