PCI Compliance Issue / CGI Generic Cross-Site Scripting

[ManFromDet]

I've searched the forums for issues pertaining to "CGI Generic Cross-Site Scripting" errors found during PCI compliance scans, and most were several years old and reffered to very old versions of Prestashop. I'm using version 1.6.08.

 

Repeated PCI scans have lead me to this last issue:

 

Description: CGI Generic Cross-Site Scripting (comprehensive test)

Synopsis: The remote web server is prone to cross-site scripting attacks.

Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request
strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause
arbitrary HTML and script code to be executed in a user's browser within the security context
of the affected site. These XSS are likely to be 'non-persistent' or 'reflected'.

 

See also : http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent
http://www.nessus.org/u?9717ad85 http://projects.webappsec.org/Cross- Site+Scripting

Data Received: Using the GET HTTP method, SecurityMetrics found that :

 

+ The following resources may be vulnerable to cross-site scripting (comprehensive test) :

 

+ The 'title' parameter of the /heroes/32-muhammad-ali- swag.html CGI :
/heroes/32-muhammad-ali- swag.html?title=<%00script>alert(219);</script%0 0> --------
output -------- [...] li-swag.html?title=<%00script>alert (219);</script%00>"/><meta
property=" [...] <script type="text/javascript">/* <![CDATA[ */;var CUSTOMIZE_TEXTF [...] ------
------------------

 

+ The 'id_product' parameter of the /heroes/32-muhammad-ali-swag.html CGI :
/heroes/32-muhammad-ali- swag.html?id_product=<%00script>alert(219);</scr ipt%00> -------
- output -------- [...] ag.html?id_product=<%00script>alert (219);</script%00>"/><meta
property=" [...] <script type="text/javascript">/* <![CDATA[ */;var CUSTOMIZE_TEXTF [...] ------
------------------

 

+ The 'criterion[1]' parameter of the /heroes/32-muhammad-ali- swag.html CGI :
/heroes/32-muhammad-ali- swag.html?criterion[1]=<%00script>alert(219);</s cript%00> ------
-- output -------- [...] .html?criterion[1]=<%00script>alert (219);</script%00>"/><meta
property=" [...] <script type="text/javascript">/* <![CDATA[ */;var CUSTOMIZE_TEXTF [...] ------
------------------

 

+ The 'content' parameter of the /heroes/32-muhammad-ali-swag.html CGI :
/heroes/32 -muhammad-ali-swag.html?content=<%00script>alert(219);</script %00>
-------- output -------- [...] -swag.html?content=<%00script >alert(219);</script%00>"/><meta
property=" [...] <script type="text/javascript">/* <![CDATA[ */;var CUSTOMIZE_TEXTF [...] ------
------------------

 

+ The 'title' parameter of the /heroes/32-muhammad-ali-swag.html CGI :
/heroes/32 -muhammad-ali-swag.html?title=<%00script>alert(219);</script%0
0>&id_product=32&criterion[1]=1&content=
-------- output -------- [...] li-swag.html?title=<%00script>alert(219);</scrip
t%00>&id_product=32&crit [...] <script type="

 

 

These entries are several pages long in the report (Security Metrics). And there are 4 or 5 of these repeated error messages listed as well.

 

I'm running my installation of Prestashop on a Virtual Private Server (VPS), hosted by TotalServerSolutions.com. Prestashop is the only application running in my share.

 

Because I see so few of these posts, and they are old, I'm hoping there's a single comprehensive reason why I'm receiving these errors.  Any help or guidance in resolving this issue would be greatly appreciated.

 

Thanks.

[ManFromDet]

Maybe (and i know this is a very simplistic answer) I should just switch hosts to a more Prestashop-familiar company like InMotion... could there be some unidentified settings within my current setup that would be fixed by simply switching hosts?

[JPresta.com]

I think XSS issues can be solved in theme by protecting datas when there are written in HTML page.

[ManFromDet]

  On 8/22/2014 at 2:48 PM, joemartin said:

I think XSS issues can be solved in theme by protecting datas when there are written in HTML page.

 

Thanks... but I have NO IDEA how to apply this proposed fix.

[JPresta.com]

Does your security checker succeeded in inserting code? If so you can know where the issue is and then fix it by escaping some characters in your theme template (ask your designer).

[ManFromDet]

I cannot determine if the security checker succeeded in inserting code; my skill level with Prestashop isn't quite that sophistcated. 

 

I don't have a designer, I have a theme that I purchased from Theme Forrest. I modified it for my shop (using the included menus, no backend hacks). The support forum for my chosen theme is pretty active - but this issue hasn't come up for other users.

 

If there are no other general suggestions for correcting this issue, then hiring a professional to take a look may be my only choce?

[ManFromDet]

Can anyone else chime-in on the possible causes and fixes for the CGI cross script errors?  It just seems really odd that this issue doesn't come up often, or at all recently, in the forums (after searching). There must be something incorrect about my specific installation, but this is just a guess.

[Vineet Girdhar]

Apache:
Add this to the .htaccess file in the website main directory.

<IfModule mod_headers.c>
# Set XSS Protection header
Header set X-XSS-Protection "1; mode=block"
</IfModule>

 

this will resolve and address the issue of Cross-site scripting (XSS)...

 

Do note this issue is even found in 1.6.0.11 version and irrespective of the hosting provider you are using it is a great idea to add this to resolve the issue

[tplmika]

Dear Vineet Girdhar

 

Great solution.

It works for me for version 1.6.1.3 

 

Thank you for the answer.