 | |  | | | Photopost Pro Bug Reports Post post installation PhotoPost Pro problems here. | 
April 3rd, 2009, 08:29 AM
|
#1 (permalink)
| | Junior Member Verified Customer
Join Date: Jun 2005 Location: Bel Air, MD
Posts: 21
| Cross Site Scripting problem in showphoto.php
I'm running Photopost Pro 6.02 and just got flagged on PCI scanning for a Cross Site Scripting problem in showphoto.php.
Recommended solution:
When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.
Ensure that parameters and user input are sanitized by doing the following:
Remove < input and replace with <
Remove > input and replace with >
Remove ' input and replace with '
Remove " input and replace with "
Remove ) input and replace with )
Remove ( input and replace with (
Is there a fix for this?
Thanks
| 
|  | |
April 3rd, 2009, 10:13 AM
|
#2 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 71,943
|
We store the characters your referring to like that. A simply look in the database shows this to be true.
We use a code sanitizing function.
| |
| | |
April 3rd, 2009, 10:19 AM
|
#3 (permalink)
| | Junior Member Verified Customer
Join Date: Jun 2005 Location: Bel Air, MD
Posts: 21
|
Then why am I getting flagged??? Is this a false positive?
| |
| | |
April 3rd, 2009, 10:22 AM
|
#4 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 71,943
|
Not sure as I am not familiar with what your doing or what is flagging you but clearly we typecast the variables and any variables we use the php htmlspecialchars function on them. PHP: htmlspecialchars - Manual | |
| | |
April 3rd, 2009, 10:27 AM
|
#5 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 71,943
|
Take note also into the mix here is we change variables to store in the database and then when the description is viewed we convert the characters back so things view correct.
We also only allow the html tags noted here Code: Content visible to verified customers only.
You can not use embed object or script tags to try and embed malicious code we simply do not allow this.
| |
| | |
April 3rd, 2009, 10:51 AM
|
#6 (permalink)
| | Junior Member Verified Customer
Join Date: Jun 2005 Location: Bel Air, MD
Posts: 21
|
Thanks for the response, I'll pass it onto McAfee.
| |
| | |
April 3rd, 2009, 10:55 AM
|
#7 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 71,943
|
McAfee is virus software for your home computer. They come out with some new internet scanner?
| |
| | |
April 3rd, 2009, 11:02 AM
|
#8 (permalink)
| | Junior Member Verified Customer
Join Date: Jun 2005 Location: Bel Air, MD
Posts: 21
|
This is the old "Hacker Safe" daily PCI scanning. They re-branded it to the McAfee name about a year ago or so.
| |
| | |
April 3rd, 2009, 11:05 AM
|
#9 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 71,943
|
Well at any rate this is a false report issue by that product since we do correctly sanatize the variables.
| |
| | |
April 3rd, 2009, 01:12 PM
|
#10 (permalink)
| | Junior Member Verified Customer
Join Date: Jun 2005 Location: Bel Air, MD
Posts: 21
|
This is still an error per the PCI scanner. Can you email or PM me so I can send you the problem link?
Thanks,
Randy
| |
| | |
April 9th, 2009, 08:09 AM
|
#11 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 71,943
|
I have no control over your scanner thing and what results it shows. I am simply responding that we properly sanitize variables so there is no threat.
| |
| | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Thread Tools | | | | Display Modes | Rate This Thread |  Linear Mode | | 
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off
| | | All times are GMT -5. The time now is 01:26 PM. | |
