Re: PCI Security and cross-site scripting issues

Giganews Newsgroups
Subject: Re: PCI Security and cross-site scripting issues
Posted by:  John Dalberg (nospam@nospam.sss)
Date: 18 Feb 2008

MarkB <reelma…> wrote:
> Hey, I have a question regarding your experiences and expertise with
> PCI(Payment Card Industry; Visa,MC) security. I am writing this
> because I have been, as of late, struggling to get a web site
> certified recently that has become non-compliant after having no
> problems at all during the first two years or so since our shopping
> cart was set up and a PCI solution ( was
> implemented. several months ago our site started failing security
> scans and the error message was threefold: Citrix, ClearTrust Server,
> & ASP Portal are vulnerable to cross-site scripting. However my web
> host ( said that they run none of those three server
> apps on their shared servers and essentially placed blame on the
> coding of the website. SecurityMetrics believes that those three sever
> apps are quite likely representations of the general problem, and that
> the web site (on the server-side) is vulnerable to cross-site
> scripting-and what is needed to do is "sanitize" potentially dangerous
> characters "<>&;,etc." on the server. We use the latest version of
> Comersus online shopping cart 7.095 and have modified it accordingly
> to filter out the vagabond characters, many of which were filtered out
> by default such as "<" and ">". Now, despite filtering out these
> characters and following instructions supplied by both the security
> compliance rep and the site host, I am still getting the same cross-
> site scripting flags, which cause the security test to fail. What I
> was wondering was if anyone had any advice out there who has toiled
> with the same (or similar)issue and where you thought the problem may
> be residing as well as the way to approach the problem and/or solve
> it. The server is Microsoft IIS that has the latest version of of
> ASP .NET on it. I don't have explicit reason to believe that the host
> is dishonest with me about the state of the web server, but I admit I
> have wondered whether they have been absolutely straight with me when
> I have point blank asked them about the issue. Also, I know that these
> security scanners quite often report theoretical or potential problems
> on servers rather than actual ones-the scan lists the problems as
> "warnings" rather than holes resident on the server. That is
> discouraging since these couple of warnings are explicitly the reason
> the scan is failing
> and the site is no longer compliant. So, on that note, any help and
> advice is greatly
> appreciated. I thank you for your time.
> -Mark

Tell the security company running the scanners to provide real proof like
which page has the security hole and to provide an example. Just telling
you your site  suffers from cross site scripting  issues with no proof is
weak. You can also go back to Comersus and relay to them what you heard and
see what they say. Maybe you're running an old version. I know Comersus has
been doing carts for many years so I am sure they have received security
reports which they should have addresses.

Also getting reports about apps which you do not use or run makes me wonder
about the security company's competency. Can you use another company?

John Dalberg


In response to

PCI Security and cross-site scripting issues posted by MarkB on Mon, 18 Feb 2008