PHWinfo - Afficher un message - PCI Security and cross-site scripting issues

19/02/2008, 10h23

On Feb 18, 7:56am, mynameisnobodyodys...@googlemail.com wrote:
> On Feb 18, 11:39 am, MarkB wrote:
>
> > After I complained to the security
> > company (www.securitymetrics.com) twice via email, they finally
> > replied to my complaint and told me that the site was generally cross-
> > site scripting vulnerable. They gave me a couple of links which
> > pointed to directories on my website
>
> Maybe have a look athttp://msdn2.microsoft.com/en-us/library/bb355989.aspx
> and athttp://msdn2.microsoft.com/en-us/library/ms998274.aspx

Thanks for the article recommendations. I have read the script
injection article in whole and it is very detailed. One of the
problems in dealing with my web host is in achieving the level of
control over the security of the website, as some IIS features are
tweakable in the control panel such as custom errors and the file
permissions. On the other hand I don't have access to other important
ones such as the web.config and the machine.config files which are
necessary in working with request validation on the server side. My
host's (hostmysite.com) official stance (when approached with the
problem) is that the error lies with my code and not their 'setup',
which is vague and not very ful. What I am doing about it right
now is, specifically, what I can do and that is modifying the online
carts "RegEx" script to constrain input by users. I am also looking
into other ways to further secure the site. Those articles certainly
there-thanks for that. We will see...

19/02/2008, 10h23	#6
MarkB Messages: n/a Hébergeur:	Re: PCI Security and cross-site scripting issues On Feb 18, 7:56am, mynameisnobodyodys...@googlemail.com wrote: > On Feb 18, 11:39 am, MarkB wrote: > > > After I complained to the security > > company (www.securitymetrics.com) twice via email, they finally > > replied to my complaint and told me that the site was generally cross- > > site scripting vulnerable. They gave me a couple of links which > > pointed to directories on my website > > Maybe have a look athttp://msdn2.microsoft.com/en-us/library/bb355989.aspx > and athttp://msdn2.microsoft.com/en-us/library/ms998274.aspx Thanks for the article recommendations. I have read the script injection article in whole and it is very detailed. One of the problems in dealing with my web host is in achieving the level of control over the security of the website, as some IIS features are tweakable in the control panel such as custom errors and the file permissions. On the other hand I don't have access to other important ones such as the web.config and the machine.config files which are necessary in working with request validation on the server side. My host's (hostmysite.com) official stance (when approached with the problem) is that the error lies with my code and not their 'setup', which is vague and not very ful. What I am doing about it right now is, specifically, what I can do and that is modifying the online carts "RegEx" script to constrain input by users. I am also looking into other ways to further secure the site. Those articles certainly there-thanks for that. We will see...