Reflected Cross-Site Scripting (XSS) Vulnerability 1.6.0.9

[hanscl]

Hello,

 

I just got the results of the latest PCI scan of my site and it detected an issue with Reflected Cross-Site Scripting (XSS) Vulnerability.

 

The last scan with version 1.6.0.8 did not report this issue so it appears to be newly introduced with version 1.6.0.9.

 

The issue exists for all of the product URLs, which are SEO friendly urls. Eg. if my product URL is:

/productcategory/product1

the PCI scan sends:

GET /productcategory/product1?<script>alert('MSG000')</script>

This url should not be accepted, but it is.

 

I understand that this would typically be fixed by either blacklisting disallowed characters, or, preferrably, whitelisting allowed characters.

 

Can this be fixed without waiting for a new version? Can I add whitelisted characters somewhere in the configuration or in the code?

 

Also, I wasn't able to find any indication that this had been logged as an issue with 1.6.0.9, which is a little surprising. The version has been out for a while and I would think others would have had the same issue when running their PCI scans.

 

Any suggestions would be appreciated.

 

[benjamin utterback]

Hi, this issue would be coming from a specific theme or other development on your website. This is not a vulnerability inherent in the PrestaShop software.