Welcome, Guest ( Customer Panel | Login )




 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Cross-Site Scripting
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

oboboy
Starting Member

USA
11 Posts

Posted - February 01 2011 :  20:02:38  Show Profile  Reply with Quote
I am in the process of having my site evaluated by a Credit Card company for PCI compliance. (Something we are all going to face soon) and my scan reported a number of vaunerabilities with the VPASP cart. they were mostly Cross-Site Scripting problems. Is there any fix for the Cross-Site Scripting problems with this Cart?

support
Administrator

4679 Posts

Posted - February 01 2011 :  20:31:36  Show Profile  Visit support's Homepage  Reply with Quote
Hi there

If you are using the very latest version of VPASP then we have had no reports of any XSS issues.

I would suggest if you have not already that you upgrade to the very latest version of VPASP.

If you are getting reports of XSS in the very latest then please post a ticket in our helpdesk so we can review this for you.

https://helpdesk.vpasp.com

Thank you.

Cam Flanigan
VP-ASP Cart Support

Follow us on Twitter:
http://www.twitter.com/vpasp
Go to Top of Page

oboboy
Starting Member

USA
11 Posts

Posted - February 09 2011 :  17:02:17  Show Profile  Reply with Quote
That is the only resolution. Is to buy a new license? I have had this cart for years. It is ver 5.0. It is riddled with XXS.
Go to Top of Page

support
Administrator

4679 Posts

Posted - February 10 2011 :  03:21:20  Show Profile  Visit support's Homepage  Reply with Quote
Well, to be fair you are using a version that was released 8 years ago. We have not supported this version for 3 years now.

You do not have to upgrade but if you want to take advantage of the extra security features now in version 7.0 then it is one option.

Thank you.

Cam Flanigan
VP-ASP Cart Support

Follow us on Twitter:
http://www.twitter.com/vpasp
Go to Top of Page

hall81191
Starting Member

4 Posts

Posted - April 22 2011 :  14:17:29  Show Profile  Reply with Quote
I got the type respond on my PCI scan. If you go into shopdisplayproducts.asp, find the ProcessFirst() you find
If not isnumeric(CAT_ID) then CAT_ID="" ' hacker fix
CATEGORY = Request("cat") ' category name
VPASP already clears out the cat, but you need to clear out the category also.
if not isnumeric(CAT_ID) then category="" ' hacker fix
Go to Top of Page

support
Administrator

4679 Posts

Posted - April 27 2011 :  23:52:32  Show Profile  Visit support's Homepage  Reply with Quote
This has been rectified in the latest release.

Please make sure you download and apply the latest updates to your site.


Thank you.

Cam Flanigan
VP-ASP Cart Support

Follow us on Twitter:
http://www.twitter.com/vpasp
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000
0 Item(s)
$0.00