Rank: Member
Joined: 4/29/2010(UTC)
Posts: 3
|
Hello,
We are using BV Software V5, SP2. We recently had a PCI compliance scan done of the site and the Contact Us page configured in BV is failing the scan because of cross-site scripting vulnerability. This is only if we have the questions turned on through the Contact Us Config option. If we uncheckmark the enable contact form to remove the question fields, then the site passes the scan. We don't see any way to guard against cross-site scripting vulnerabilities with this page. Has anyone else encountered this issue, and if so, how did you correct it?
Thanks.
|
|
|
|
|
|
Rank: Member
Joined: 1/10/2005(UTC)
Posts: 714
Thanks: 14 times
Was thanked: 1 time(s) in 1 post(s)
|
Im not exactly sure about that page itself, but BV5 SP7 is PCI compliant. You should check out in updating to that version.
|
|
|
|
|
|
Rank: Member
Joined: 4/29/2010(UTC)
Posts: 3
|
Unfortunately we inherited this site and it has been highly customized - probably over 65%, so it is not possible to upgrade. Any suggestions on how to make this page in this version safe against cross-site scripting? Any suggestions would be helpful.
|
|
|
|
|
|
Rank: Administration
Joined: 4/2/2004(UTC) Posts: 2,393 ![United States]( "United States") Location: Hummelstown, PA Thanks: 6 times
Was thanked: 163 time(s) in 158 post(s)
|
I'm not sure how the contact form would be vulnerable to a cross-site scripting attack. One thing I can tell you is that those scans are always right. |
Aaron Sherrick
BV Commerce
Toll-free 888-665-8637 - Int'l +1 717-220-0012 |
|
|
|
|
|
Rank: Member
Joined: 12/23/2003(UTC)
Posts: 909
|
forgive my remedial understanding.
what happens if ValidateRequest="true" is added to the contactus.aspx page directive? |
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
A XSS attack occurs when a value input into a form is displayed on the site and isn't HTML encoded. So for example, if the user inputs a <script> tag in the description field of the form and their answer is displayed it will execute the <script> from the user.
Since you said that your site is heavily customized it is very possible that one of the customizations created an XSS vulnerability.
You'll need to pay a programmer to walk through you customized code to find and resolve the issue. There is no way for us to evaluate the code since it has been customized and is many service packs old.
|
|
|
|
|
|
Rank: Member
Joined: 1/27/2010(UTC)
Posts: 7
|
None of the backoffice has been customized so the policy pages are intact. The PCI compliance scan is sending <script> tags to the form fields for the test. If we uncheckmark the enable contact form to remove the user input fields, the site passes the scan, so it is only the user input fields on this form that are not passing the scan. We are receiving the following error:
[2]
This is a generic warning based on a test that indicates that your web
> application may not validate user-provided input, such as that
> provided by a form. Review your web application to ensure that user
> data is checked on the server side of the application (NOT in the web
> browser) for proper length and character content. It is recommended
> that a white-list of acceptable characters be used, with all other
> characters being HTML encoded prior to being sent in response to the client.
> Review the "Cross-Site scripting", "Data Validation", and "Review Code
> for Cross-site scripting" pages on OWASP.org (see the reference links
> in this finding).
We see no way in this form to determine field length or character content. Has this been changed in a later verion and is this version of BV open to XSS attacks for this form? Any suggestions on how to correct this would be helpful.
[/2]
|
|
|
|
|
|
Rank: Member
Joined: 11/25/2003(UTC)
Posts: 370
|
Most likely you will need to filter your form post yourself or have someone do it for you.
Wondering how ScanAlert would even know if script was injected since what is typed in the form is not displayed unless page has been modified.
Also when you get the the email in stock form all script tags are removed. |
|
|
|
|
|
|
Rank: Administration
Joined: 4/2/2004(UTC) Posts: 2,393 ![United States]( "United States") Location: Hummelstown, PA Thanks: 6 times
Was thanked: 163 time(s) in 158 post(s)
|
Originally Posted by: "Kim (Kman)"  Wondering how ScanAlert would even know if script was injected since what is typed in the form is not displayed unless page has been modified. Exactly. Like I said, these scans aren't always accurate. They do provide a way to dispute or override their alert on the page in their system that outlines the supposed vulnerability. |
Aaron Sherrick
BV Commerce
Toll-free 888-665-8637 - Int'l +1 717-220-0012 |
|
|
|
|
|
Rank: Member
Joined: 1/27/2010(UTC)
Posts: 7
|
They are stating that this page (Contact Us with the form fields) is vulnerable to XSS attacks and cannot be disputed. Is this version of BV supposed to be protecting agains XSS attacks? Here is what they are testing. Any suggestions would be helpful. Thanks.
Cross-Site Scripting (XSS)
Cross-site scripting is a term used to describe problems which arise
when maliciously crafted user data causes a web application to redirect
an unsuspecting web browser to an undesired site. It was
possible to send strings with special HTML characters ( < > " ' )
to your web application, and see them rendered in the response.
Since these characters were not encoded by the web application,
it may be possible to inject HTML scripting code into the rendered
page. The injections can occur in your HTML body, Title, Scripting,
or even commented out portions of the document. Note: Due to the
potential negative impact on this web server's resources that could
result from attacking a large number of cross-site scripting attack
vectors, TrustKeeper abandons this test after it has found at least three
instances where user input is not being properly sanitized. Therefore,
it is possible that the reported findings associated with this vulnerability
are only a subset of all possible attack vectors.
Note: All Cross-Site Scripting vulnerabilities are considered noncompliant
by PCI.
Service: (80) Microsoft-IIS/6.0
Evidence:
• HTTP Request Mode: GET
• HTTP Status Code: 200
• Test Input String: %3CScRipT%20%3Ealert%28%27test
%27%29%3B%3C%2FScRipT%20%3E
• Search Pattern: <ScRipT >alert('test');</ScRipT >
• Pattern Match: <ScRipT >alert('test');</ScRipT >
• Vulnerable Parameter: policyid
• Vulnerable Parameter: linktext
• Vulnerable Parameter: columnname
• HTTP Request Mode: GET
• HTTP Status Code: 200
• Test Input String: %22%3E%27%3E%3CIfRaME%3E
• Search Pattern: (?i)">'><IfRaME>
• Pattern Match: ">'><IfRaME>
Vulnerable Parameter: policyid
• Vulnerable Parameter: linktext
• Vulnerable Parameter: columnname
|
|
|
|
|
|
Rank: Member
Joined: 11/25/2003(UTC)
Posts: 370
|
I suggest you hire a professional to look at this for you and help you correct the issue with your scan.
The code must have been modified in some way. If so you just need to filter text input. |
|
|
|
|
|
|
Rank: Member
Joined: 11/20/2005(UTC)
Posts: 122
|
[3]This just started happening on our site as well, and I have a solution. It is important to understand that PCI is not a fixed set of rules, but a security policy that changes over time and not all PCI scanners are updated at the same time with the latest vulnerability detection (and as pointed out, there are sometimes bugs).[/3]
[3]However, this is definitely a problem with BVC5 (we are using 5.6).[/3]
[3]The issue is due to the fact that request validation has been turned off in the ContactUs.aspx page. However, it was turned off because there is some text being written to the form outside of the context of ASP.NET and therefore postbacks are not allowed without disabling request validation. ASP.NET automatically keeps track of all of the HTML and javascript that is output into the page and keeps a hash of the page<SPAN lang=EN>. When the page is posted back, it checks the HTML in the post against this hash to ensure it hasn't been tampered with by the end user.[/3]
<SPAN lang=EN>[3]However, this automatic tracking of HTML and javascript only happens if controls in the System.Web.UI.WebControls namespace are used. In the ContactUs.aspx page, there is a control used from the System.Web.UI.HtmlControls namespace that needs to be changed.[/3]
<SPAN lang=EN>[3]To fix this problem, change the following:[/3]
<SPAN lang=EN>[3]File: ContactUs.aspx[/3]
<SPAN lang=EN><SPAN lang=EN>[3]Remove the ValidateRequest="false" attribute from the @Page directive at the top of the page.[/3]
<SPAN lang=EN><SPAN lang=EN>[3]Find this lines[/3]
<SPAN lang=EN><SPAN lang=EN>[3] <div id="contactUsInfo" runat="server">
</div>[/3]
<SPAN lang=EN><SPAN lang=EN>[3]and change it to be[/3]
<SPAN lang=EN><SPAN lang=EN>[3] <div>
<asp:Literal ID="contactUsInfo" runat="server"/>
</div>[/3]
<SPAN lang=EN><SPAN lang=EN>[3]File: ContactUs.aspx.vb[/3]
<SPAN lang=EN><SPAN lang=EN>[3]Find the line[/3]
<SPAN lang=EN><SPAN lang=EN>[3] contactUsInfo.InnerHtml += block.Description[/3]
<SPAN lang=EN><SPAN lang=EN>[3]and change it to be[/3]
<SPAN lang=EN><SPAN lang=EN>[3] contactUsInfo.Text += block.Description[/3]
[3]<SPAN lang=EN>
[/3]
[3]No doubt, someone else will need this info and will be scratching their head trying to figure out what is causing this. The scanner provides "detailed" information on the problem, but it isn't always that helpful.[/3]
[3][/3]
[3]NOTE: ValidateRequest is also turned off in many of the BVAdmin pages. Fortunately, because they are behind a login the scanner can't access them. However, if in the future they decide that they will want to scan password protected pages as well, there will be a lot of changes necessary to become PCI compliant again.[/3] |
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.