VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 VP-ASP 7.0 Questions
 Hackers adding Google Adsense script via
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

niallpm
Starting Member

Ireland
8 Posts

Posted - September 02 2010 :  10:28:18  Show Profile  Reply with Quote
Two of my clients sites are being hacked by having javascript code inserted to display Google Adsense adverts. One site is using VPASP 6.5 on MSSQL and the other is using V7 on MySQL.

Ive checked with my hosting company and they say this is caused by an "application exploit" or an XSS - in other words, putting the blame on the ASP scripts. Personally I dont believe them and I think the problem is on their server. Ive been using VPASP for years and never experienced this before.

Howerver, I have to say to my client that I asked VPASP about any possible vunerabilities in the code that would allow XSS attacks.

Ive taken all the documented security precautions set out in the VPASP manuals and as far as I can see, all possible user input is properly sanitized before being sent to the server.

Does anyone have any thought or comments about all this?

support
Administrator

4266 Posts

Posted - September 02 2010 :  13:11:16  Show Profile  Visit support's Homepage  Reply with Quote
Hi Nial,

Update to this one. Thanks for the heads up.

You can find the fixes at:

http://helpnotes.vpasp.com/kb/46-Security-%26-Patches/983-Security-fix--XSS-at-while-register-an-affiliate/

http://helpnotes.vpasp.com/kb/46-Security-%26-Patches/982-Security-fix--XSS-at-product-listings-page/

Thank you
Cam Flanigan

VPASP Support

Follow us on Twitter
http://twitter.com/vpasp
Go to Top of Page

Mark Priest
VP-ASP Expert

United Kingdom
570 Posts

Posted - September 07 2010 :  11:56:05  Show Profile  Reply with Quote
I see there is an update for this, but it creates errors.

Microsoft VBScript compilation error '800a0400'

Expected statement

/store/shop$db.asp, line 2810

end function
^


Regards,

Mark
Fireworks
Go to Top of Page

support
Administrator

4266 Posts

Posted - September 07 2010 :  17:15:12  Show Profile  Visit support's Homepage  Reply with Quote
Hi Mark,

Is your issue resolved now?

Thank you

Cam Flanigan
VPASP Support

Follow us on Twitter
http://twitter.com/vpasp
Go to Top of Page

Mark Priest
VP-ASP Expert

United Kingdom
570 Posts

Posted - September 07 2010 :  18:26:59  Show Profile  Reply with Quote
The initial one is but i still cant check out

Regards,

Mark
Fireworks
Go to Top of Page

support
Administrator

4266 Posts

Posted - September 07 2010 :  18:29:05  Show Profile  Visit support's Homepage  Reply with Quote
Hi Mark,

Just saw the support guys reply to you regarding updating the config to insert your correct url.

Hopefully this resolves the issue for you.

Thank you

Cam Flanigan
VPASP Support

Follow us on Twitter
http://twitter.com/vpasp
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000