Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

› WebAssist Forums › PowerStore › Powerstore General / Announcements › Cross site scripting problem

Cross site scripting problem

Thread began 12/09/2010 12:35 pm by bchilds | Last modified 12/10/2010 7:54 am by Jason Byrnes | 2836 views | 7 replies |

12/09/2010 12:35 pm | #1 bchilds

Cross site scripting problem

I am getting a xss error

Products_Detail.php?ProductID=6"><script>alert(123)<%2Fscript>"

php page attached...

Please help if you can... I am at wits end.

BChilds

PS. If there are anyphp programmers out there with e-commerce/PCI experience and are looking, please drop me a line. jobs@smokehouse.ca

Attached Files

Products_Detail.zip

12/09/2010 12:43 pm | #2 Jason ByrnesWebAssist

what version of power store is this? If it is version 3, this was fixed in the 3.01 update.

otherwise, please post a link where i could see the problem to investigate.

12/09/2010 12:53 pm | #3 bchilds

Products_Detail.php?ProductID=137

Unfortunately Powerstore 2

injection example...
Products_Detail.php?ProductID=6%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22|

12/09/2010 1:41 pm | #4 Jason ByrnesWebAssist

on the product detail page, change line 600:

php:

$query_OptionValues = sprintf("SELECT options.OptionName, productoptions.ProductID, products.ProductLive FROM options INNER JOIN productoptions ON productoptions.OptionID = options.OptionID INNER JOIN products ON products.ProductID = productoptions.ProductID WHERE OptionGroupID = ".$row_ProductOptions['OptionGroupID']."  AND GroupingID = (SELECT GroupingID FROM productoptions WHERE productoptions.ProductID = ".$PIDParam_ProductOptions." LIMIT 1) ".$AddToWhere." ORDER BY OptionName", GetSQLValueString($OGIDParam_OptionValues, "int"));

to:

php:

$query_OptionValues = sprintf("SELECT options.OptionName, productoptions.ProductID, products.ProductLive FROM options INNER JOIN productoptions ON productoptions.OptionID = options.OptionID INNER JOIN products ON products.ProductID = productoptions.ProductID WHERE OptionGroupID = ".$row_ProductOptions['OptionGroupID']."  AND GroupingID = (SELECT GroupingID FROM productoptions WHERE productoptions.ProductID = %s LIMIT 1) ".$AddToWhere." ORDER BY OptionName", GetSQLValueString($OGIDParam_OptionValues, "int"), GetSQLValueString($PIDParam_ProductOptions, "int"));

12/09/2010 1:48 pm | #5 bchilds

OK your very close..but

I tried that but I'm losing my product options in the drop down menu.

Products_Detail_new.php?ProductID=1

Bchilds

12/09/2010 2:04 pm | #6 Jason ByrnesWebAssist

in testing on my copy of the power store 2 details page, i cannot reproduce the problem you are experiencing.

Investigating the detail page further, i see a lot of customization, record sets that have been added, tables that have been added, The custom coding is rendering this details page usuportable.

12/10/2010 7:51 am | #7 bchilds

Hi Jason

I figured it out. Your solution, although didn't help me right away, showed me where the problem was occurring and I was able to go from there.

You had the order of the calls to the function GetSQLValueString reversed in your solution.

Thanks for all your help! You saved me much agony.

Cheers,

BChilds

12/10/2010 7:54 am | #8 Jason ByrnesWebAssist

Great, glad to hear that is is working.

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now. Build a store, a gallery, or a web-based email solution.