Hey, I have a question regarding your experiences and expertise with
PCI(Payment Card Industry; Visa,MC) security. I am writing this
because I have been, as of late, struggling to get a web site
certified recently that has become non-compliant after having no
problems at all during the first two years or so since our shopping
cart was set up and a PCI solution (SecurityMetrics.com) was
implemented. several months ago our site started failing security
scans and the error message was threefold: Citrix, ClearTrust Server,
& ASP Portal are vulnerable to cross-site scripting. However my web
host (hostmysite.com) said that they run none of those three server
apps on their shared servers and essentially placed blame on the
coding of the website. SecurityMetrics believes that those three sever
apps are quite likely representations of the general problem, and that
the web site (on the server-side) is vulnerable to cross-site
scripting-and what is needed to do is "sanitize" potentially dangerous
characters "<>&;,etc." on the server. We use the latest version of
Comersus online shopping cart 7.095 and have modified it accordingly
to filter out the vagabond characters, many of which were filtered out
by default such as "<" and ">". Now, despite filtering out these
characters and following instructions supplied by both the security
compliance rep and the site host, I am still getting the same cross-
site scripting flags, which cause the security test to fail. What I
was wondering was if anyone had any advice out there who has toiled
with the same (or similar)issue and where you thought the problem may
be residing as well as the way to approach the problem and/or solve
it. The server is Microsoft IIS that has the latest version of of
ASP .NET on it. I don't have explicit reason to believe that the host
is dishonest with me about the state of the web server, but I admit I
have wondered whether they have been absolutely straight with me when
I have point blank asked them about the issue. Also, I know that these
security scanners quite often report theoretical or potential problems
on servers rather than actual ones-the scan lists the problems as
"warnings" rather than holes resident on the server. That is
discouraging since these couple of warnings are explicitly the reason
the scan is failing
and the site is no longer compliant. So, on that note, any and
advice is greatly
appreciated. I thank you for your time.
-Mark

MarkB <reelmark@gmail.com> wrote:
> Hey, I have a question regarding your experiences and expertise with
> PCI(Payment Card Industry; Visa,MC) security. I am writing this
> because I have been, as of late, struggling to get a web site
> certified recently that has become non-compliant after having no
> problems at all during the first two years or so since our shopping
> cart was set up and a PCI solution (SecurityMetrics.com) was
> implemented. several months ago our site started failing security
> scans and the error message was threefold: Citrix, ClearTrust Server,
> & ASP Portal are vulnerable to cross-site scripting. However my web
> host (hostmysite.com) said that they run none of those three server
> apps on their shared servers and essentially placed blame on the
> coding of the website. SecurityMetrics believes that those three sever
> apps are quite likely representations of the general problem, and that
> the web site (on the server-side) is vulnerable to cross-site
> scripting-and what is needed to do is "sanitize" potentially dangerous
> characters "<>&;,etc." on the server. We use the latest version of
> Comersus online shopping cart 7.095 and have modified it accordingly
> to filter out the vagabond characters, many of which were filtered out
> by default such as "<" and ">". Now, despite filtering out these
> characters and following instructions supplied by both the security
> compliance rep and the site host, I am still getting the same cross-
> site scripting flags, which cause the security test to fail. What I
> was wondering was if anyone had any advice out there who has toiled
> with the same (or similar)issue and where you thought the problem may
> be residing as well as the way to approach the problem and/or solve
> it. The server is Microsoft IIS that has the latest version of of
> ASP .NET on it. I don't have explicit reason to believe that the host
> is dishonest with me about the state of the web server, but I admit I
> have wondered whether they have been absolutely straight with me when
> I have point blank asked them about the issue. Also, I know that these
> security scanners quite often report theoretical or potential problems
> on servers rather than actual ones-the scan lists the problems as
> "warnings" rather than holes resident on the server. That is
> discouraging since these couple of warnings are explicitly the reason
> the scan is failing
> and the site is no longer compliant. So, on that note, any and
> advice is greatly
> appreciated. I thank you for your time.
> -Mark

Tell the security company running the scanners to provide real proof like
which page has the security hole and to provide an example. Just telling
you your site suffers from cross site scripting issues with no proof is
weak. You can also go back to Comersus and relay to them what you heard and
see what they say. Maybe you're running an old version. I know Comersus has
been doing carts for many years so I am sure they have received security
reports which they should have addresses.

Also getting reports about apps which you do not use or run makes me wonder
about the security company's competency. Can you use another company?

John Dalberg

On Feb 18, 3:00am, nos...@nospam.sss (John Dalberg) wrote:
> MarkB <reelm...@gmail.com> wrote:
> > Hey, I have a question regarding your experiences and expertise with
> > PCI(Payment Card Industry; Visa,MC) security. I am writing this
> > because I have been, as of late, struggling to get a web site
> > certified recently that has become non-compliant after having no
> > problems at all during the first two years or so since our shopping
> > cart was set up and a PCI solution (SecurityMetrics.com) was
> > implemented. several months ago our site started failing security
> > scans and the error message was threefold: Citrix, ClearTrust Server,
> > & ASP Portal are vulnerable to cross-site scripting. However my web
> > host (hostmysite.com) said that they run none of those three server
> > apps on their shared servers and essentially placed blame on the
> > coding of the website. SecurityMetrics believes that those three sever
> > apps are quite likely representations of the general problem, and that
> > the web site (on the server-side) is vulnerable to cross-site
> > scripting-and what is needed to do is "sanitize" potentially dangerous
> > characters "<>&;,etc." on the server. We use the latest version of
> > Comersus online shopping cart 7.095 and have modified it accordingly
> > to filter out the vagabond characters, many of which were filtered out
> > by default such as "<" and ">". Now, despite filtering out these
> > characters and following instructions supplied by both the security
> > compliance rep and the site host, I am still getting the same cross-
> > site scripting flags, which cause the security test to fail. What I
> > was wondering was if anyone had any advice out there who has toiled
> > with the same (or similar)issue and where you thought the problem may
> > be residing as well as the way to approach the problem and/or solve
> > it. The server is Microsoft IIS that has the latest version of of
> > ASP .NET on it. I don't have explicit reason to believe that the host
> > is dishonest with me about the state of the web server, but I admit I
> > have wondered whether they have been absolutely straight with me when
> > I have point blank asked them about the issue. Also, I know that these
> > security scanners quite often report theoretical or potential problems
> > on servers rather than actual ones-the scan lists the problems as
> > "warnings" rather than holes resident on the server. That is
> > discouraging since these couple of warnings are explicitly the reason
> > the scan is failing
> > and the site is no longer compliant. So, on that note, any and
> > advice is greatly
> > appreciated. I thank you for your time.
> > -Mark
>
> Tell the security company running the scanners to provide real proof like
> which page has the security hole and to provide an example. Just telling
> you your site suffers from cross site scripting issues with no proofis
> weak. You can also go back to Comersus and relay to them what you heard and
> see what they say. Maybe you're running an old version. I know Comersus has
> been doing carts for many years so I am sure they have received security
> reports which they should have addresses.
>
> Also getting reports about apps which you do not use or run makes me wonder
> about the security company's competency. Can you use another company?
>
> John Dalberg- Hide quoted text -
>
> - Show quoted text -

Hi John, thanks for getting back with me. I appreciate it. The real
quandry is knowing who between the security company or my web host
isn't being totally honest with me. After I complained to the security
company (www.securitymetrics.com) twice via email, they finally
replied to my complaint and told me that the site was generally cross-
site scripting vulnerable. They gave me a couple of links which
pointed to directories on my website as follows:

http://www.<mydomain>.com/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error& NFuse_Message=<SCRIPT>alert('Ritchie')</SCRIPT>&ClientDetection=ON

<http://www.<mydomain>.com/citrix/nfuse/default/login.asp?
NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Mess age=%3CSCRIPT%3Ealert
%28%27Ritchie%27%29%3C/SCRIPT%3E&ClientDetection=ON>

and they also say:

"the script that is entered is returned back in the headers of the
page,
specifically the Content-Location field, to correct the issue you
would
need to sanitize the Content-Location so that information is not
returned in clear text as it is entered."

(What they say is Greek to me)

They also say that those two links 'appear' to be causing the
vulnerability flags. When I go to the links above, my site shows up
without any images, and that doesn't really tell me or me much.

As you will notice in the links, there is apparently a citrix folder
on the server, apparently apart from my comersus shopping cart folder.
So, that makes me wonder, is my host not being straight up with me or
is the error caused by some flaw in securitymetrics scan engine. I
don't know. I would change security services, if that is the problem.
The question I run into is, is hostmysite to blame or securitymetrics,
because the shopping cart is successful and we certainly want to keep
it. We will change what is necessary to become security compliant.

I run Comersus v. 7.095, which is just a hair off from being their
latest version (7.097) which was released at the end of January. Both
versions filter characters such as "<>". I have tested that out. The
Comersus people are ing me with modifying the script further to
filter out additional wildcard characters such as the comma,
semicolon, etc and I will be able to do that when they get back with
me today and then I will do yet another security scan and see what
happens. Funny, but I still have the impression that the test will
fail again.

If you can think of anything additional that would out, thanks in
advance.
-Mark

PS. I will be away from my computer until this evening and I will
check and respond to any and all feedback. Thanks!

On 18 Feb, 08:31, MarkB <reelm...@gmail.com> wrote:
> Hey, I have a question regarding your experiences and expertise with
> PCI(Payment Card Industry; Visa,MC) security. I am writing this
> because I have been, as of late, struggling to get a web site
> certified recently

There is no real "PCI certification" or official compliance checking.
If only there was! We'd have a few less problems from some of the
gross errors that are indeed out there.

Also the CISP standards talk very little about "web apps" as such and
are focussed far more on back-end DB issues. This is understandable
given their legacy and their core competencies, but it doesn't mean
the web server aspect can be ignored. Where they do state
requirements, it's in broad terms such as "Card numbers must be
encrypted", "Card numbers shouldn't be stored at all, unless needed
for repeat billing", "Repeat billing setup should be clearly flagged
to the customer" and "Don't even think about storing the CVV2". They
don't even specify algorithms or standards for encryption, or indicate
the benefits of PK for this rather than a symmetric key algorithm.

> our site started failing security
> scans and the error message was threefold: Citrix, ClearTrust Server,
> & ASP Portal are vulnerable to cross-site scripting.

You're going to have to ask the scanner what they're looking for and
what they've found. The implementation details of a scan just aren't
specified in this level of detail by the PCI people.

You may actually have a problem. You might even be in a state where
you really ought to be working rapidly to fix it and downing the site
in the meantime - that bad! I rather doubt though if you have a
problem that even flickers onto PCI's radar - just very few of them
do.


> many of which were filtered out by default such as "<" and ">".

I've never seen a site that filtered these characters _out_ and yet
_wasn't_ open to injection attacks. Don't filter the bad stuff out,
filter the good stuff in! Otherwise you're just forever playing catch-
up character by character through the Unicode set.

Without knowing just what is running on there, I couldn't comment in
any detail. However if you even have a Citrix directory accessible to
a web server, I'd be worried. If you have one that you didn't know
about, I'd regard the site as insecure simply because you no longer
know just what is running on your site.

On Feb 18, 11:39 am, MarkB wrote:
> After I complained to the security
> company (www.securitymetrics.com) twice via email, they finally
> replied to my complaint and told me that the site was generally cross-
> site scripting vulnerable. They gave me a couple of links which
> pointed to directories on my website

Maybe have a look at
http://msdn2.microsoft.com/en-us/library/bb355989.aspx
and at
http://msdn2.microsoft.com/en-us/library/ms998274.aspx

On Feb 18, 7:56am, mynameisnobodyodys...@googlemail.com wrote:
> On Feb 18, 11:39 am, MarkB wrote:
>
> > After I complained to the security
> > company (www.securitymetrics.com) twice via email, they finally
> > replied to my complaint and told me that the site was generally cross-
> > site scripting vulnerable. They gave me a couple of links which
> > pointed to directories on my website
>
> Maybe have a look athttp://msdn2.microsoft.com/en-us/library/bb355989.aspx
> and athttp://msdn2.microsoft.com/en-us/library/ms998274.aspx

Thanks for the article recommendations. I have read the script
injection article in whole and it is very detailed. One of the
problems in dealing with my web host is in achieving the level of
control over the security of the website, as some IIS features are
tweakable in the control panel such as custom errors and the file
permissions. On the other hand I don't have access to other important
ones such as the web.config and the machine.config files which are
necessary in working with request validation on the server side. My
host's (hostmysite.com) official stance (when approached with the
problem) is that the error lies with my code and not their 'setup',
which is vague and not very ful. What I am doing about it right
now is, specifically, what I can do and that is modifying the online
carts "RegEx" script to constrain input by users. I am also looking
into other ways to further secure the site. Those articles certainly
there-thanks for that. We will see...

On Feb 18, 6:42am, Andy Dingley <ding...@codesmiths.com> wrote:
> On 18 Feb, 08:31, MarkB <reelm...@gmail.com> wrote:
>
> > Hey, I have a question regarding your experiences and expertise with
> > PCI(Payment Card Industry; Visa,MC) security. I am writing this
> > because I have been, as of late, struggling to get a web site
> > certified recently
>
> There is no real "PCI certification" or official compliance checking.
> If only there was! We'd have a few less problems from some of the
> gross errors that are indeed out there.
>

Very good point, Andy. There seem to be a lot of companies that
provide 'PCI' compliance, but there doesn't seem to be any centralized
authority or standard for what composes of PCI compliance when
compared to the ISO and computer hardware such as CD-ROM's and DVD-ROM
devices-and even that was in debate for many years.

> Also the CISP standards talk very little about "web apps" as such and
> are focussed far more on back-end DB issues. This is understandable
> given their legacy and their core competencies, but it doesn't mean
> the web server aspect can be ignored. Where they do state
> requirements, it's in broad terms such as "Card numbers must be
> encrypted", "Card numbers shouldn't be stored at all, unless needed
> for repeat billing", "Repeat billing setup should be clearly flagged
> to the customer" and "Don't even think about storing the CVV2". They
> don't even specify algorithms or standards for encryption, or indicate
> the benefits of PK for this rather than a symmetric key algorithm.
>

I could certainly live with this as we do not store CC#'s, CVV2's,
everything is encrypted in the back end of the cart. We don't even
process credit cards online.

> > our site started failing security
> > scans and the error message was threefold: Citrix, ClearTrust Server,
> > & ASP Portal are vulnerable to cross-site scripting.
>
> You're going to have to ask the scanner what they're looking for and
> what they've found. The implementation details of a scan just aren't
> specified in this level of detail by the PCI people.
>
> You may actually have a problem. You might even be in a state where
> you really ought to be working rapidly to fix it and downing the site
> in the meantime - that bad! I rather doubt though if you have a
> problem that even flickers onto PCI's radar - just very few of them
> do.
>
> > many of which were filtered out by default such as "<" and ">".
>
> I've never seen a site that filtered these characters _out_ and yet
> _wasn't_ open to injection attacks. Don't filter the bad stuff out,
> filter the good stuff in! Otherwise you're just forever playing catch-
> up character by character through the Unicode set.
>
> Without knowing just what is running on there, I couldn't comment in
> any detail. However if you even have a Citrix directory accessible to
> a web server, I'd be worried. If you have one that you didn't know
> about, I'd regard the site as insecure simply because you no longer
> know just what is running on your site.

My web host ensures that I don't have Citrix on my server although the
link that the security company provided showed one, however they
admitted that this may be a representation rather than a reality. So,
who to believe, what to do next (outside of sanitize and filtering in
of the cart script that I do have access to), and not the web.config &
machine.config that I don't have access to, I am not sure at this
moment. We will see...
Thanks for you though. I do appreciate it.
-Mark

On Feb 19, 9:42 am, MarkB wrote:
> My web host ensures that I don't have Citrix on my server although the
> link that the security company provided showed one, however they
> admitted that this may be a representation rather than a reality.
> -Mark

Did you look at the header of the HTTP response for those links?
What is the HTTP response status?