PCI Security and cross-site scripting issues

Giganews Newsgroups
Subject: PCI Security and cross-site scripting issues
Posted by:  MarkB (reelma…@gmail.com)
Date: Mon, 18 Feb 2008

Hey, I have a question regarding your experiences and expertise with
PCI(Payment Card Industry; Visa,MC) security. I am writing this
because I have been, as of late, struggling to get a web site
certified recently that has become non-compliant after having no
problems at all during the first two years or so since our shopping
cart was set up and a PCI solution (SecurityMetrics.com) was
implemented. several months ago our site started failing security
scans and the error message was threefold: Citrix, ClearTrust Server,
& ASP Portal are vulnerable to cross-site scripting. However my web
host (hostmysite.com) said that they run none of those three server
apps on their shared servers and essentially placed blame on the
coding of the website. SecurityMetrics believes that those three sever
apps are quite likely representations of the general problem, and that
the web site (on the server-side) is vulnerable to cross-site
scripting-and what is needed to do is "sanitize" potentially dangerous
characters "<>&;,etc." on the server. We use the latest version of
Comersus online shopping cart 7.095 and have modified it accordingly
to filter out the vagabond characters, many of which were filtered out
by default such as "<" and ">". Now, despite filtering out these
characters and following instructions supplied by both the security
compliance rep and the site host, I am still getting the same cross-
site scripting flags, which cause the security test to fail. What I
was wondering was if anyone had any advice out there who has toiled
with the same (or similar)issue and where you thought the problem may
be residing as well as the way to approach the problem and/or solve
it. The server is Microsoft IIS that has the latest version of of
ASP .NET on it. I don't have explicit reason to believe that the host
is dishonest with me about the state of the web server, but I admit I
have wondered whether they have been absolutely straight with me when
I have point blank asked them about the issue. Also, I know that these
security scanners quite often report theoretical or potential problems
on servers rather than actual ones-the scan lists the problems as
"warnings" rather than holes resident on the server. That is
discouraging since these couple of warnings are explicitly the reason
the scan is failing
and the site is no longer compliant. So, on that note, any help and
advice is greatly
appreciated. I thank you for your time.