Path-Based Cross-Site Scripting (XSS) Failure

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.

Path-Based Cross-Site Scripting (XSS) Failure

Postby mseachrist » Fri Jan 20, 2017 3:54 am

A PCI scan has failed my site due to Path-Based Cross-Site Scripting (XSS) vulnerability. Microsoft IIS resolved this problem years ago by enabling the "Validate Request = true" in the Pages and Control under your site. If I do this on my site it disables the ability to edit pages on the site from the admin. It might also disable other features and customer shopping experience. Your default web.config file has validate request = false. What do you recommend to resolve this PCI failure? Can you provide a letter or statement I can send to my scanning company to get past this failure?

Running 2008 R2 Server with newest Gold build 12 SP1 (something like that).
User avatar
mseachrist
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
 
Posts: 33
Joined: Wed Apr 05, 2006 10:42 am

Re: Path-Based Cross-Site Scripting (XSS) Failure

Postby Shopping Cart Admin » Sun Jan 22, 2017 12:35 pm

Hello,

We have sites being scanned by a half dozen+ different vendors and have never seen that issue. Please open up a support ticket and attach the .pdf results of the scan.

https://www.ablecommerce.com/helpdesk.aspx
Thanks for your support

Shopping Cart Guru
Image.com
Follow us on Facebook
AbleCommerce Blog
User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
 
Posts: 3013
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA

Re: Path-Based Cross-Site Scripting (XSS) Failure

Postby gdelorey@mitcs.com » Thu Feb 16, 2017 5:32 am

Similar issue here with a Qualys web application scan. I've just submitted a support ticket to the helpdesk.
gdelorey@mitcs.com
Commander (CMDR)
Commander (CMDR)
 
Posts: 125
Joined: Thu Oct 19, 2006 5:33 pm


Return to PCI Certification and Implementation Questions

Who is online

Users browsing this forum: No registered users and 2 guests

cron