Important Notice from AspDotNetStorefront
It is with dismay that we report that we have been forced, through the action of hackers, to shut off write-access to this forum. We are keen to leave the wealth of material available to you for research. We have opened a new forum from which our community of users can seek help, support and advice from us and from each other. To post a new question to our community, please visit: http://forums.vortx.com
Results 1 to 4 of 4

Thread: PCI Audit - cross site scripting

  1. 08-19-2010, 04:52 AM #1
    sduffy77 is offline Senior Member
    Join Date
    Feb 2010
    Location
    Lancaster, PA
    Posts
    142

    Default PCI Audit - cross site scripting

    We had our quarterly PCI Audit yesterday and they uncovered that there is cross site scripting in our ASPDotNetStorefront solutions. The Popup.aspx is allowing javascript to be passed into the src querystring parameter and then it is getting written out to the source of the page.

    Is there a way to get away from using PopUp.aspx? We'd prefer to use modals if at all possible.
  2. 08-19-2010, 08:05 AM #2
    AspDotNetStorefront Staff - Scott's Avatar
    AspDotNetStorefront Staff - Scott is offline Administrator
    Join Date
    Mar 2007
    Location
    Ashland, OR
    Posts
    2,390

    Default

    We have had customers rewrite the product pages to use modal windows for large images before, yes. It's actually not all that difficult, but does require the source code.

    As for the popup page, we became aware that there might be an issue there a while ago, and we have our devs/PCI folks looking into it.
    ECommerce Shopping Cart
  3. 10-11-2010, 06:41 AM #3
    sduffy77 is offline Senior Member
    Join Date
    Feb 2010
    Location
    Lancaster, PA
    Posts
    142

    Default

    Quote Originally Posted by AspDotNetStorefront Staff - Scott View Post
    We have had customers rewrite the product pages to use modal windows for large images before, yes. It's actually not all that difficult, but does require the source code.

    As for the popup page, we became aware that there might be an issue there a while ago, and we have our devs/PCI folks looking into it.
    I've changed our View Larger Images to use Lytebox instead of popup.aspx however I need to figure out a way to do the Topics and such. Let me know if your devs got anywhere with it.
  4. 10-11-2010, 08:25 AM #4
    sduffy77 is offline Senior Member
    Join Date
    Feb 2010
    Location
    Lancaster, PA
    Posts
    142

    Default

    Ok I think I Lytebox working for the topic popups.

    On the driver2.aspx page you need to add a link to the Lytebox js and css pages
    C#/VB.NET Code:
    <%--#region MODIFICATION -  10/08/2010 - Adding lytebox to popup--%>
    <script type="text/javascript" language="javascript" src="App_Themes/skin_1/lytebox.js"></script>

    <link rel="stylesheet" href="App_Themes/skin_1/lytebox.css" type="text/css" media="screen" />
    <%--#endregion--%> 
    Then in the shoppingcart.aspx page I changed each link like so:
    C#/VB.NET Code:
    <%-- Comment out the old code
    <asp:Image ID="redarrow1" AlternateText="" runat="server" />*<a onclick="popuptopicwh('Shipping+Information','shipping',650,550,'yes')" href="javascript:void(0);"><asp:Literal ID="shoppingcartaspx8" runat="server"></asp:Literal></a><br />
    --%>

    <    asp:Image ID="redarrow1" AlternateText="" runat="server" />*<a href="t2-shipping.aspx" rel="lyteframe[shipping]" title="Shipping Information"><asp:Literal ID="shoppingcartaspx8" runat="server"></asp:Literal></a><br />