close ad
Help us test the new Databridge BETA with MySQLi support
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Possible cross site scripting

Thread began 11/17/2009 4:31 pm by larry268887 | Last modified 2/03/2014 11:15 am by John | 3084 views | 4 replies |

larry268887

Possible cross site scripting

I'm trying to get my site PCI compliant and am working with security metrics. They scaned my site www.elvisyorkshireterrier.com and found that I wasn't in compliance because there was possible cross site scripting. Possible cross site scripting was described as being able to attact a site by adding a script at the end of an address. As an example this is an address of one of my detail pages on my site miniature_yorkie_puppy_for_sale.php?Id=10 and if one would type "><script>alert(123)<%2Fscript>" at the end of the address if there isn't cross site scripting then nothing will happen and if there is cross site scripting then a box will pop up and display 123. My detail pages are php and I use web assist extensions. This only occurs on detail pages.

Here is exactly what they said

Possible cross site scripting on pet-sup plies/dog_clothes_accessories.php Use the following commands to verify this: wp --inject "http://elvisyorkshireterrier.com/pet-su pplies/dog_clothes_accessories.php?Categor yId=6%22%3E%3Cscript%3Ealert%28123%29%3C%2 Fscript%3E" curl -L "http://elvisyorkshireterrier.com/pet-su pplies/dog_clothes_accessories.php?Categor yId=6%22%3E%3Cscript%3Ealert%28123%29%3C%2 Fscript%3E"| grep "123" This website may have other injection related vulnerabilities.

I have no idea how to correct the problem. I have another site hosted with the same hosting company and was made the same with web assist extensions and passed the scan.

Thanks
Larry

Sign in to reply to this post

Ray BorduinWebAssist

Just turn off error reporting. The problem is that when the error is reported it writes to the page, opening the cross site scripting vulnerability.

It is best to leave error reporting turned off on live web sites except when debugging.

Sign in to reply to this post

larry268887

Possible cross site scripting

I had the error reporting turned off and it still is giving the error.
After the 123 window pops up and you close it this is the error I get
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\">\"' at line 1

Sign in to reply to this post

Ray BorduinWebAssist

The error reporting must be turned on, or else it wouldn't be reporting that error to the page. Where did you turn off error reporting?

Update your php.ini, or add to the top of that page:

<?php ini_set('display_errors', 0); ?>

Sign in to reply to this post

John

Scripts

My friend has the same thing but he says his site gets through just fine. I don't know why though he may be using a program that is unrelated to help him and won't tell me because I have done the same thing as him and used the same programs but not been able to get through. I'm not really heavily educated with the concept so if you get any more information let me know.
John Bond | http://www.artistryyorkies.com/yorkie-puppies.aspx#.UscknieJ7Dw

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...