scotsscripts.com discussion forums for miva merchant, miva scripts, and scot's scripts support

back to scot's scripts home

Not logged in. Scot's Scripts Forum: 107 users, rooms, 87 discussions, 504 messages, and 3 files.

messages • site map • search • help

Scot's Mailing List Support

L Lobby Lounge

↓ Scots Mailing List - XSS Threat - PCI Compliance • back to discussions

1. 01/14/2009 10:39:17, krsullivan

Hello, Does anyone have a fix for scot's mailing list. Both our websites fail an PCI compliance scan. Control Scan is stating the scots mail list program (may be the Miva 5 module) has security issues. I looked at the template and it does not look like it provides a template to revise the variable encoding. The token it uses automatically embeds everything for the checkbox. This one of the emails Control Scan sent to me:

In order to fix your one XSS threat you will need your developer to sanitize the group variable before printing it back to the screen. For exact details on how this accomplished please take a look at these links. The exact fix can vary a bit depending on the programming language you guys use to create your site.

“In order to fix this issue, the application developers must encode/filter/type data prior to being used. For example, if you have a value that is supposed to be an integer, typecast it as an integer. If you have a value that is supposed to be a string encode/filter any SQL command characters.

There are some built in functions for different languages that may handle some of the encoding for you. Please note that filtering will typically not prevent attacks that use poor typecasting as an attack vector (i.e. encoding a value that is not put inside of quotes will potentially still get through unless typecast).

In PHP you can use the mysql_real_escape_string() function. If you are using .Net please visit http://msdn.microsoft.com/en-us/library/ms998271.aspx for generic code fixes.”

#312

2. 01/14/2009 10:51:06, Scot

This is fixed in the upcoming release.

#313

3. 01/14/2009 17:25:02, Scot

I should mention that if you need compliancy right now, I can give you the beta version of 3.33, however it's not guaranteed to be stable.

#314

4. 01/14/2009 19:40:08, krsullivan

Hello, Thanks for the fast response. Any idea as to when it will be available? Yes, PCI compliance is important to us. Define "stable". How unstable.

Also, I also sent this message to you via several contact points you have, so sorry for the repeated inquiries.

thanks, Kevin

#315

5. 01/14/2009 19:43:43, Scot

Hi,

Unstable means I'm not sure if it's stable, that is, I haven't necessarily tied up all the loose ends. It's a beta version and not ready for release, but I'm using it on my site and there doesn't seem to be any problems. No guarantees, though.

#316

6. 01/15/2009 22:06:54, krsullivan

Hello,

One final question, do you have any idea as to when the final pci compliant versions will be released.

Also, if you need a beta tester for it, we would be willing to try it on our smaller sight www.sullivanuniforms.com

Thanks,

Kevin

#317