Path-Based Cross-Site Scripting (XSS) Failure

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
User avatar
mseachrist
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 33
Joined: Wed Apr 05, 2006 10:42 am

Path-Based Cross-Site Scripting (XSS) Failure

Post by mseachrist » Fri Jan 20, 2017 3:54 am

A PCI scan has failed my site due to Path-Based Cross-Site Scripting (XSS) vulnerability. Microsoft IIS resolved this problem years ago by enabling the "Validate Request = true" in the Pages and Control under your site. If I do this on my site it disables the ability to edit pages on the site from the admin. It might also disable other features and customer shopping experience. Your default web.config file has validate request = false. What do you recommend to resolve this PCI failure? Can you provide a letter or statement I can send to my scanning company to get past this failure?

Running 2008 R2 Server with newest Gold build 12 SP1 (something like that).

User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
Posts: 3055
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA
Contact:

Re: Path-Based Cross-Site Scripting (XSS) Failure

Post by Shopping Cart Admin » Sun Jan 22, 2017 12:35 pm

Hello,

We have sites being scanned by a half dozen+ different vendors and have never seen that issue. Please open up a support ticket and attach the .pdf results of the scan.

https://www.ablecommerce.com/helpdesk.aspx
Thanks for your support

Shopping Cart Guru
AbleCommerce.com
Follow us on Facebook

gdelorey@mitcs.com
Commander (CMDR)
Commander (CMDR)
Posts: 129
Joined: Thu Oct 19, 2006 5:33 pm

Re: Path-Based Cross-Site Scripting (XSS) Failure

Post by gdelorey@mitcs.com » Thu Feb 16, 2017 5:32 am

Similar issue here with a Qualys web application scan. I've just submitted a support ticket to the helpdesk.

Post Reply