Important Notice from AspDotNetStorefront
It is with dismay that we report that we have been forced, through the action of hackers, to shut off write-access to this forum. We are keen to leave the wealth of material available to you for research. We have opened a new forum from which our community of users can seek help, support and advice from us and from each other. To post a new question to our community, please visit: http://forums.vortx.com
Results 1 to 2 of 2

Thread: Accunetix Web Vulnerability Scan

  1. 04-19-2010, 06:39 AM #1
    sduffy77 is offline Senior Member
    Join Date
    Feb 2010
    Location
    Lancaster, PA
    Posts
    142

    Default Accunetix Web Vulnerability Scan

    We are running ML 9.0.1.2 32bit source.

    We recently ran Accunetix Web Vulnerability Scan as we are required to for our PCI Compliance.

    We found several issues:

    Cross Site Scripting
    /popup.aspx
    src

    Application error message
    /captcha.ashx
    ASPDNSFGUID
    /contactus.aspx
    ASPDNSFGUID
    /default.aspx
    ASPDNSFGUID
    /disclaimer.aspx
    ASPDNSFGUID
    /emailproduct.aspx
    ASPDNSFGUID
    /giftregistrysearch.aspx
    ASPDNSFGUID
    /invalidrequest.aspx
    ASPDNSFGUID
    /m-1-ross-nanotechnology.aspx
    ASPDNSFGUID
    /m-1-ross-technologies.aspx
    ASPDNSFGUID
    /pagenotfound.aspx
    ASPDNSFGUID
    /polls.aspx
    ASPDNSFGUID
    /popup.aspx
    ASPDNSFGUID
    /rateit.aspx
    ASPDNSFGUID
    /remove.aspx
    ASPDNSFGUID
    /scriptresource.axd
    ASPDNSFGUID
    /search.aspx
    ASPDNSFGUID
    /searchnx.aspx
    ASPDNSFGUID
    /sendform.aspx
    ASPDNSFGUID
    /shoppingcart.aspx
    ASPDNSFGUID
    /showproduct.aspx
    ASPDNSFGUID
    /signin.aspx
    ASPDNSFGUID
    /signout.aspx
    ASPDNSFGUID
    /sitemap2.aspx
    ASPDNSFGUID
    /t-about.aspx
    ASPDNSFGUID
    /t-bacteria.aspx
    ASPDNSFGUID
    /t-faq.aspx
    ASPDNSFGUID
    /t-privacy.aspx
    ASPDNSFGUID
    /t-returns.aspx
    ASPDNSFGUID
    /t-security.aspx
    ASPDNSFGUID
    /t-service.aspx
    ASPDNSFGUID
    /t-shipping.aspx
    ASPDNSFGUID
    /t-where to buy.aspx
    ASPDNSFGUID
    /webresource.axd
    d
    %2EASPXANONYMOUS
    referer
    ASPDNSFGUID
    user-agent
    SiteDisclaimerAccepted
    client-ip
    x-forwarded-for
    __utma
    __utmb
    accept-language
    __utmc
    __utmz
    /wishlist.aspx
    ASPDNSFGUID
    Possible sensitive directories
    /bin
    /download
    /images/demo
    /images/library
    /images/orders
    /images/upload

    Has anyone dealt with fixing these issues?
  2. 04-19-2010, 07:39 AM #2
    AspDotNetStorefront Staff - Scott's Avatar
    AspDotNetStorefront Staff - Scott is offline Administrator
    Join Date
    Mar 2007
    Location
    Ashland, OR
    Posts
    2,390

    Default

    As long as all of the Security Best Practices are being followed, there aren't any PA-DSS violations in the application. Specifically, you'll need to look at setting up a custom error page in the web.config and file/folder permissions.

    As for the XSS warning, that can be disregarded. The popup.aspx page can be forced to pop up an image other than the one intended with a little work, but nothing else. It doesn't use any other parameters and doesn't do anything with any extras that are passed to it. We'll probably try to prevent even that in the future, but in the meantime we've verified with our security folks that this isn't a vulnerability to be concerned about, so you can mark that off as not an issue.
    ECommerce Shopping Cart